CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-43468 to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being actively exploited in the wild. The vulnerability is a critical (CVSS 9.8) SQL injection in Microsoft Configuration Manager (ConfigMgr/SCCM) that can allow an unauthenticated remote attacker to achieve remote code execution by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with high/SYSTEM-level impact. CISA set a remediation deadline of March 5 for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation.
The issue was originally patched by Microsoft in October 2024 after being reported by Synacktiv, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including SolarWinds Web Help Desk and multiple Apple platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to patch by March 5
Under Binding Operational Directive 22-01, CISA directed U.S. federal civilian agencies to remediate CVE-2024-43468 by March 5, 2026, and urged private-sector defenders to patch promptly as well.
CISA adds CVE-2024-43468 to the KEV catalog
CISA added CVE-2024-43468 to its Known Exploited Vulnerabilities catalog after determining the Microsoft Configuration Manager flaw was being actively exploited in the wild.
Synacktiv publishes proof-of-concept exploit code
Synacktiv later released proof-of-concept exploit code for CVE-2024-43468, increasing public availability of exploitation details for the Configuration Manager flaw.
Microsoft patches CVE-2024-43468 in Configuration Manager
Microsoft released fixes for CVE-2024-43468 in late 2024, with the references describing the patch as issued in October 2024 and in Microsoft’s November 2024 Patch Tuesday updates. Affected organizations were advised to upgrade to Configuration Manager 2311 or later and apply the relevant KB updates.
Synacktiv reports CVE-2024-43468 to Microsoft
Synacktiv discovered and reported CVE-2024-43468, a critical SQL injection vulnerability in Microsoft Configuration Manager that can enable unauthenticated remote code execution on the server and site database. The exact reporting date is not specified in the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CISA Warns of Microsoft Configuration Manager SQL Injection Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceCISA flags critical Microsoft SCCM flaw as exploited in attacks
bleepingcomputer.com
Open sourceCritical Microsoft bug from 2024 under exploitation • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in **SolarWinds Web Help Desk** (`CVE-2025-40536`) with an accelerated patch deadline, alongside additional KEV additions affecting **Apple** platforms (iOS, macOS, tvOS, watchOS, visionOS), **Microsoft** products, and **Notepad++**. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with **Google Threat Analysis Group** credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days. Separate reporting highlighted the broader operational context driving these directives: **Microsoft’s February security update** addressed **59 vulnerabilities**, including **six zero-days under active exploitation**, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to **remove unsupported network edge devices** (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
Mar 21, 2026
Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple **critical, unauthenticated remote code execution and authentication-bypass vulnerabilities** in widely deployed enterprise products were reported as **actively exploited** and, in several cases, added to CISA’s **Known Exploited Vulnerabilities (KEV)** catalog. SmarterTools *SmarterMail* is being targeted in **ransomware** activity via **CVE-2026-24423**, an unauthenticated RCE caused by missing authentication on the `ConnectToHub` API (`/api/v1/settings/sysadmin/connect-to-hub`), where an attacker-controlled server can return JSON containing a `CommandMount` value that drives arbitrary command execution; the issue affects versions prior to `v100.0.9511`. Separately, SolarWinds *Web Help Desk* is affected by **CVE-2025-40551** (CVSS 9.8), a **deserialization of untrusted data** flaw in the `AjaxProxy` component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies. In parallel, Fortinet environments using **FortiCloud SSO** face authentication-bypass risk from **CVE-2025-59718**, **CVE-2025-59719**, and **CVE-2026-24858**, which can allow an attacker with a FortiCloud account to log into organizations’ **FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb** if SSO is enabled; Kaspersky published **SIEM correlation rules** to detect related suspicious logins and admin actions. Samsung *MagicInfo 9 Server* (digital signage management) was also reported with a trio of severe flaws affecting versions prior to `21.1090.1`, including **CVE-2026-25202** (hardcoded credentials, CVSS 9.8) and **CVE-2026-25201** (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
Mar 21, 2026
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
Mar 21, 2026