CVE-2024-43468

What is Microsoft Configuration Manager?

Microsoft Configuration Manager (SCCM/ConfigMgr/MECM — Microsoft Endpoint Configuration Manager) is the enterprise platform for deploying and managing software, security patches, operating system images, and configuration policies across Windows devices in an organization. ConfigMgr is deeply integrated with Active Directory and has privileged access to all managed Windows endpoints — it deploys software as SYSTEM on every managed machine. A compromised ConfigMgr server represents a devastating lateral movement vector: an attacker can deploy malware or ransomware to the entire managed environment through ConfigMgr's legitimate software distribution mechanism.

Overview

CVE-2024-43468 is a pre-authentication SQL injection vulnerability (CWE-89) in Microsoft Configuration Manager that allows a remote unauthenticated attacker to execute arbitrary commands on the ConfigMgr server and its underlying SQL Server database. The SQL injection occurs in the management point component's client enrollment/inventory message processing path. Through SQL Server's xp_cmdshell or similar stored procedures, the injection achieves OS-level code execution as SYSTEM.

The 16-month gap between the October 2024 patch and the February 2026 CISA KEV listing reflects a common pattern for enterprise software vulnerabilities: the patch is released quietly, most administrators miss it (ConfigMgr updates require in-product console-based installation, not Windows Update), and attackers develop working exploits from the patch diff months later to target the large unpatched install base.

Affected Versions

Apply the hotfix KB29166583 for all affected versions. ConfigMgr 2503 includes the fix in its baseline.

Technical Details

The SQL injection (CWE-89) is in the ConfigMgr management point — the server component that receives client registration and inventory messages from managed Windows endpoints. When processing incoming messages, the management point constructs SQL queries using unsanitized client-supplied data. An attacker on the network can send a specially crafted HTTP request mimicking a client enrollment message to the management point endpoint, embedding SQL payload in the request body.

The management point typically runs on a server that also hosts the ConfigMgr site database (SQL Server) or has trusted SQL Server access. With SQL Server's xp_cmdshell enabled (or with permissions to enable it), the SQL injection achieves OS-level command execution as the SQL Server service account — typically NT AUTHORITY\SYSTEM.

Post-exploitation via ConfigMgr's capabilities:

• Deploy malicious software/scripts to all managed endpoints via ConfigMgr's application deployment
• Modify software update compliance policies to prevent security patches on managed devices
• Access hardware inventory data for all managed endpoints (asset intelligence, network topology)
• Extract device management certificates and credentials

Discovery

Not publicly attributed. The 16-month delay between patch and KEV listing indicates the vulnerability was not immediately weaponized — attackers likely discovered it through patch differential analysis after the patch re-release in October 2024.

Exploitation Context

CISA added CVE-2024-43468 to the KEV catalog on February 12, 2026, confirming active exploitation 16 months after the patch was released. ConfigMgr is notoriously difficult to patch — the update must be applied from within the ConfigMgr console (Site Administration → Updates and Servicing), and many IT teams deprioritize ConfigMgr infrastructure updates. This left a large vulnerable install base for attackers to target.

No specific threat actor was publicly attributed at time of KEV listing.

Remediation

1. Apply hotfix KB29166583 to all ConfigMgr versions prior to 2503. Navigate to Administration → Updates and Servicing in the ConfigMgr console. The CISA deadline was March 5, 2026.
2. Upgrade to ConfigMgr 2503 if possible — the fix is integrated in the baseline of the current version.
3. Restrict management point access — the management point endpoint should only accept connections from known managed client IP ranges, not from arbitrary internet sources.
4. Disable xp_cmdshell in the ConfigMgr SQL Server instance if it is not required — this eliminates the primary OS command execution path even on unpatched systems.
5. Audit ConfigMgr application deployments for unauthorized software packages created after October 2024 that could represent attacker-controlled payload delivery.
6. Review ConfigMgr service account permissions — minimize the SQL Server service account's OS privileges.