CISA Flags Actively Exploited Microsoft SCCM SQL Injection Vulnerability CVE-2024-43468
2 min. read 
Published on
CISA added CVE-2024-43468, a critical SQL injection flaw in Microsoft Configuration Manager (SCCM), to its Known Exploited Vulnerabilities catalog on February 12, 2026. Federal agencies must patch by March 5, 2026, under Binding Operational Directive 22-01. Unauthenticated attackers use crafted HTTP requests to run arbitrary SQL on servers and databases.
Vulnerability Breakdown
Attackers target the MP_Location service’s input validation flaws, like getMachineID and getContentID. This leads to sysadmin-level SQL execution and potential remote code execution via xp_cmdshell. Enterprises rely on SCCM for software deployment and updates, amplifying the risk.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft rated it CVSS 9.8 for its network access, no privileges needed, and high impact on data and systems. Synacktiv researchers disclosed it, releasing proof-of-concept code in November 2024.
CISA warned: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” They urged: “Apply mitigations per vendor instructions… or discontinue use of the product if mitigations are unavailable.”
Microsoft stated: “An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.”
Impacted Versions
Patched in October 2024 updates; apply KB5044285 or upgrade.
| SCCM Version | Status | Fix Required |
|---|---|---|
| 2211 and earlier | Vulnerable | Upgrade to 2311+ |
| 2303 | Vulnerable | Latest hotfix |
| 2309 | Vulnerable | Latest hotfix |
| 2403 | Vulnerable if unpatched | KB5044285+​ |
Detection and Response
Scan SQL logs for anomalies using Microsoft Defender or SSMS. Hunt for new admin accounts or unusual queries. Ransomware groups target SCCM for lateral movement.
Mitigation Guide
- Deploy patches immediately; test in staging.
- Firewall ports 80/443/1433 from untrusted sources.
- Enable IIS SQL injection protection and least-privilege DB accounts.
- Activate MFA and logging in Azure-integrated setups.
| Priority Action | Benefit | Tools |
|---|---|---|
| Patch Deployment | Blocks core exploit | Microsoft Update Catalog |
| Network Blocks | Stops remote access | Firewalls/WAF |
| Log Monitoring | Early detection | SIEM, Event Viewer |
| Privilege Limits | Reduces damage | RBAC policies​ |
FAQ
CVSS 9.8 score; no auth needed for remote SQL injection and code execution.
March 5, 2026, per CISA BOD 22-01.
Reported by Synacktiv; PoC released November 26, 2024.
Discontinue SCCM use and isolate servers, as CISA advises.
Yes; CISA recommends all defenders patch urgently against active attacks.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages