Microsoft Configuration Manager SQL Injection Remote Code Execution Vulnerability
CVE-2024-43468 is a critical SQL injection vulnerability in Microsoft Configuration Manager (formerly SCCM/ConfigMgr) that can lead to remote code execution. The provided content states that an unauthenticated attacker can send specially crafted requests to a target Configuration Manager environment, where input is processed unsafely and incorporated into backend SQL operations. Supporting reporting attributes the flaw to insufficient sanitization in handling requests to an internet-reachable endpoint, with one account stating the vulnerable path involves the getMachineID function processing XML messages for the MP_Location endpoint before constructing SQL queries. Successful exploitation allows arbitrary SQL execution against the underlying site database and can be escalated to operating system command execution on the server, including via SQL Server functionality such as xp_cmdshell.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a Go-based exploit for CVE-2024-43468, a critical unauthenticated SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr) Management Points. The exploit targets SCCM servers accessible over the network and leverages mutual TLS (mTLS) authentication using client certificates stored in the macOS Keychain. The main exploit logic is implemented in 'main.go', which constructs and sends specially crafted requests to the '/ccm_system/request' endpoint on the target SCCM server. The exploit allows the attacker to execute arbitrary SQL queries on the SCCM site database, enabling actions such as creating new admin users or running other privileged commands. The 'signer/keychain.go' file provides Go bindings to access and use client certificates from the macOS Keychain for mTLS, while 'get_cert_name.py' is a helper script to list and select certificate common names from the Keychain. The repository is operational and requires the attacker to have a valid client certificate in their macOS Keychain. The exploit supports optional SOCKS5 proxying for network traffic. The code is well-structured, with clear separation between the main exploit logic, certificate handling, and helper utilities.
This repository contains a Python exploit script (CVE-2024-43468.py) and a detailed README for CVE-2024-43468, a critical unauthenticated SQL injection vulnerability in Microsoft Configuration Manager (SCCM) Management Points. The exploit targets the '/ccm_system/request' endpoint, allowing an attacker with network access to execute arbitrary SQL queries on the SCCM site database as the MP machine account, which typically has sysadmin privileges. The script supports both HTTP and HTTPS targets, with optional mutual TLS authentication if required by the server. The attacker can use this exploit to create new database administrator users, escalate privileges, or achieve remote code execution via SQL features like xp_cmdshell. The README provides usage instructions, affected versions, and example payloads. The code is operational and requires the attacker to supply the target URL and SQL query, with optional parameters for client certificate authentication.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical unauthenticated SQL injection vulnerability in Microsoft Configuration Manager (SCCM) console services that allows attackers to send crafted HTTP requests leading to arbitrary SQL query execution against the backend SQL Server, enabling data theft, privilege escalation, and potential OS command execution (up to full environment compromise).
A critical unauthenticated SQL injection in Microsoft Configuration Manager (MP_Location endpoint / getMachineID XML processing) that can be escalated to server-side RCE (e.g., via xp_cmdshell).
A critical unauthenticated SQL injection in Microsoft Configuration Manager (MP_Location endpoint; getMachineID processing of XML messages) that can be escalated to remote code execution (e.g., via xp_cmdshell) against internet-exposed endpoints.
An unauthenticated SQL injection vulnerability in Microsoft Configuration Manager that can lead to command execution on the server or underlying database.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.