cbcvebase.
CVE-2024-43468
published 2024-10-08

CVE-2024-43468: Microsoft Configuration Manager Remote Code Execution Vulnerability

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-03-05
Exploited in the wild
EPSS
60.66%
99.0th percentile
Microsoft Configuration Manager Remote Code Execution Vulnerability

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_configuration_manager>= 1.0.0 < 5.00.91065.00.9106
msrcmicrosoft_configuration_manager_2303
msrcmicrosoft_configuration_manager_2309
msrcmicrosoft_configuration_manager_2403

Detection & IOCsextracted from sources · hover to see the quote

url/ccm_system/request
commandCCM_POST
bytes
U|00|I|00|D|00|:|00|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468)"; flow:established,to_server; http.method; content:"CCM_POST"; http.uri; content:"/ccm_system/request"; fast_pattern; http.request_body; content:"U|00|I|00|D|00|:|00|"; pcre:"/^[^\x22]{36,100}[\x3b\x26\x60\x7c\x24]/R"; reference:url,www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections; reference:cve,2024-43468; classtype:web-application-attack; sid:2059681; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_43468, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_12, reviewed_at 2025_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP requests using the custom method 'CCM_POST' targeting the URI '/ccm_system/request' — this is the specific endpoint and method used to exploit the SQL injection in Microsoft Configuration Manager.
  • In the request body, look for the UTF-16LE encoded string 'UID:' (U|00|I|00|D|00|:|00|) followed by a value of 36–100 non-quote characters ending in SQL injection metacharacters (semicolon, ampersand, backtick, pipe, or dollar sign) — this matches the PCRE pattern in the Snort rule.
  • The vulnerability is an unauthenticated SQL injection; exploitation requires no credentials. Monitor for unauthenticated inbound requests to the ConfigMgr management point on the /ccm_system/request endpoint.
  • Public proof-of-concept exploit code was released by Synacktiv on November 26, 2024. Treat any exploitation attempts as high-confidence given PoC availability and CISA KEV listing.
  • The Snort rule (ET sid:2059681) is tagged for both Perimeter and Internal deployment, and requires TLS decryption (SSLDecrypt) to inspect encrypted ConfigMgr traffic — ensure TLS inspection is enabled on relevant network segments.
  • ·The fix requires installing an in-console update (KB29166583) — a passive patch is not sufficient. Customers must actively apply the update from within the Configuration Manager console.
  • ·The Snort/Suricata detection rule requires TLS decryption to be effective, as ConfigMgr traffic may be encrypted. Without SSLDecrypt/TLS inspection, the rule will not fire on encrypted sessions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.