CVE-2024-43468
published 2024-10-08CVE-2024-43468: Microsoft Configuration Manager Remote Code Execution Vulnerability
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-03-05
Exploited in the wild
EPSS
60.66%
99.0th percentile
Microsoft Configuration Manager Remote Code Execution Vulnerability
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_configuration_manager | >= 1.0.0 < 5.00.9106 | 5.00.9106 |
| msrc | microsoft_configuration_manager_2303 | — | — |
| msrc | microsoft_configuration_manager_2309 | — | — |
| msrc | microsoft_configuration_manager_2403 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ccm_system/request
commandCCM_POST
bytes
U|00|I|00|D|00|:|00|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468)"; flow:established,to_server; http.method; content:"CCM_POST"; http.uri; content:"/ccm_system/request"; fast_pattern; http.request_body; content:"U|00|I|00|D|00|:|00|"; pcre:"/^[^\x22]{36,100}[\x3b\x26\x60\x7c\x24]/R"; reference:url,www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections; reference:cve,2024-43468; classtype:web-application-attack; sid:2059681; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_43468, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_12, reviewed_at 2025_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Look for HTTP requests using the custom method 'CCM_POST' targeting the URI '/ccm_system/request' — this is the specific endpoint and method used to exploit the SQL injection in Microsoft Configuration Manager.
- →In the request body, look for the UTF-16LE encoded string 'UID:' (U|00|I|00|D|00|:|00|) followed by a value of 36–100 non-quote characters ending in SQL injection metacharacters (semicolon, ampersand, backtick, pipe, or dollar sign) — this matches the PCRE pattern in the Snort rule.
- →The vulnerability is an unauthenticated SQL injection; exploitation requires no credentials. Monitor for unauthenticated inbound requests to the ConfigMgr management point on the /ccm_system/request endpoint. ↗
- →Public proof-of-concept exploit code was released by Synacktiv on November 26, 2024. Treat any exploitation attempts as high-confidence given PoC availability and CISA KEV listing. ↗
- →The Snort rule (ET sid:2059681) is tagged for both Perimeter and Internal deployment, and requires TLS decryption (SSLDecrypt) to inspect encrypted ConfigMgr traffic — ensure TLS inspection is enabled on relevant network segments.
- ·The fix requires installing an in-console update (KB29166583) — a passive patch is not sufficient. Customers must actively apply the update from within the Configuration Manager console. ↗
- ·The Snort/Suricata detection rule requires TLS decryption to be effective, as ConfigMgr traffic may be encrypted. Without SSLDecrypt/TLS inspection, the rule will not fire on encrypted sessions.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m786-h9gp-8q53: Microsoft Configuration Manager Remote Code Execution Vulnerability
ghsa_unreviewed·2024-10-08
CVE-2024-43468 [CRITICAL] CWE-89 GHSA-m786-h9gp-8q53: Microsoft Configuration Manager Remote Code Execution Vulnerability
Microsoft Configuration Manager Remote Code Execution Vulnerability
VulnCheck
Microsoft Configuration Manager SQL Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-43468 [CRITICAL] CWE-89 Microsoft Configuration Manager SQL Injection Vulnerability
Microsoft Configuration Manager SQL Injection Vulnerability
Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.
Affected: Microsoft Configuration Manager
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/9f3d8e00a7f4; https://vulncheck.com/xdb/
CISA
Microsoft Configuration Manager SQL Injection Vulnerability
cisa·2026-02-12·CVSS 9.8
CVE-2024-43468 [CRITICAL] CWE-89 Microsoft Configuration Manager SQL Injection Vulnerability
Vulnerability: Microsoft Configuration Manager SQL Injection Vulnerability
Affected: Microsoft Configuration Manager
Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43468 ; https://nvd.nist.gov/vuln/detail/CVE-2024-43468
Remediation Due Date: 2026-03-05
Microsoft
Microsoft Configuration Manager Remote Code Execution Vulnerability
vendor_msrc·2024-10-08·CVSS 9.8
CVE-2024-43468 [CRITICAL] CWE-89 Microsoft Configuration Manager Remote Code Execution Vulnerability
Microsoft Configuration Manager Remote Code Execution Vulnerability
FAQ: How could an attacker exploit this vulnerability?
An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.
FAQ: What actions do customers need to take to protect themselves from this vulnerability?
Customers using a version of Configuration Manager specified in the Security Updates table of this CVE need to install an in-console update to be protected. Guidance for how to install Configuration Manager in-console updates is available here: Install in-console updates for Configuration Manager.
Microsoft Configuration Manager: Mi
Suricata
ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468)
suricata·2025-01-27·CVSS 9.8
CVE-2024-43468 [CRITICAL] ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468)
ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468)"; flow:established,to_server; http.method; content:"CCM_POST"; http.uri; content:"/ccm_system/request"; fast_pattern; http.request_body; content:"U|00|I|00|D|00|:|00|"; pcre:"/^[^\x22]{36,100}[\x3b\x26\x60\x7c\x24]/R"; reference:url,www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections; reference:cve,2024-43468; classtype:web-application-attack; sid:2059681; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_43468, deployment Perimeter, de
No public exploits indexed.
Bleepingcomputer
CISA flags critical Microsoft SCCM flaw as exploited in attacks
blogs_bleepingcomputer·2026-02-13·CVSS 9.8
[CRITICAL] CISA flags critical Microsoft SCCM flaw as exploited in attacks
## CISA flags critical Microsoft SCCM flaw as exploited in attacks
## Sergiu Gatlan
"An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database," Microsoft explained when it patched the flaw in October 2024 .
At the time, Microsoft tagged it as "Exploitation Less Likely," saying that "an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product."
However, Synacktiv shared proof-of-concept exploitation code for CVE-2024-43468 on November 26th, 2024, almost two months after Microsoft released secur
Checkpoint
14th October – Threat Intelligence Report
blogs_checkpoint·2024-10-14
CVE-2024-43572 14th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 14th October – Threat Intelligence Report
TOP ATTACKS AND BREACHES
Nonprofit healthcare organization Axis Health System has been hit by a ransomware attack by the Rhysida gang, leading to the theft of sensitive data, including mental health and substance abuse records. Rhysida is demanding $1.5 million and has threatened to publish the data in six days if unpaid. The gang has also begun leaking 102GB of data from Golden Age Nursing Home, including over 35K files, which allegedly contain medical records and disch
Qualys
Microsoft & Adobe October 2024 Patch Tuesday Updates | Qualys
blogs_qualys·2024-10-08
Microsoft & Adobe October 2024 Patch Tuesday Updates | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for October 2024
- Adobe Patches for October 2024
- Zero-day Vulnerabilities Patched in October Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in October Patch Tuesday Edition
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- Qualys Monthly Webinar Series
Microsoft has rolled out its October 2024 Patch Tuesday updates, offering vital security fixes for IT professionals to implement. With several critical vulnerabilities patched, this release highlights the ongoing need for regular maintenance and attention to security.
## Microsoft P
Bleepingcomputer
Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws
blogs_bleepingcomputer·2024-10-08·CVSS 6.5
[MEDIUM] Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws
## Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws
## Lawrence Abrams
28 Elevation of Privilege vulnerabilities
7 Security Feature Bypass vulnerabilities
43 Remote Code Execution vulnerabilities
6 Information Disclosure vulnerabilities
26 Denial of Service vulnerabilities
7 Spoofing vulnerabilities
This count does not include three Edge flaws that were previously fixed on October 3rd.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5044284 and KB5044285 cumulative updates and the Windows 10 KB5044273 update .
## Five zero-days disclosed
This month's Patch Tuesday fixes five zero-days, two of which were actively exploited in attacks, and all five were publicly disclosed.
Microsoft classi
Trendmicro
The October 2024 Security Update Review
blogs_trendmicro·2024-10-08·CVSS 7.1
[HIGH] The October 2024 Security Update Review
## The October 2024 Security Update Review
Get the October 2024 security update and review.
By: Dustin Childs 2024/10/08 Read time: ( words)
Save to Folio
It’s the spooky season, and there’s nothing spookier than security patches – at least in my world. Microsoft and Adobe have released their latest patches, and no bones about it, there are some skeletons in those closets. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2024-43572
Microsoft Management Console Remote Code Execution Vulnerability
Moderate
7.8
Yes
Yes
RCE
CVE-2024-43573
Windows MSHTML Platform Spo
Trendmicro
The October 2024 Security Update Review
blogs_trendmicro·2024-10-08
The October 2024 Security Update Review
# The October 2024 Security Update Review
Get the October 2024 security update and review.
By: Dustin Childs
2024/10/08
Read time: ( words)
Save to Folio
It’s the spooky season, and there’s nothing spookier than security patches – at least in my world. Microsoft and Adobe have released their latest patches, and no bones about it, there are some skeletons in those closets. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for October 2024
For October, Adobe released nine patches addressing 52 CVEs in Adobe Substance 3D Painter, Commerce, Dimension, Animate, Lightroom, InCopy, InDesign, Substance 3D Stager, and A
Tenable
Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)
blogs_tenable·2024-10-08·CVSS 7.8
[HIGH] Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
blogs_talos·2024-10-08·CVSS 7.8
[HIGH] Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
## Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.
October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities .
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine.
Qualys
Microsoft and Adobe Patch Tuesday, October 2024 Security Update Review
blogs_qualys·2024-10-08
Microsoft and Adobe Patch Tuesday, October 2024 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for October 2024
Adobe Patches for October 2024
Zero-day Vulnerabilities Patched in October Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in October Patch Tuesday Edition
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Monthly Webinar Series
Microsoft has rolled out its October 2024 Patch Tuesday updates, offering vital security fixes for IT professionals to implement. With several critical vulnerabilities patched, this release highlights the ongoing need for regular maintenance and attention to security.
## Microsoft Patch Tuesday
Talos
Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
blogs_talos·2024-10-08·CVSS 9.8
[CRITICAL] Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.
October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Crowdstrike
October 2024 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] October 2024 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2024-10-08
Published
2026-02-12
Added to CISA KEV
Exploited in the wild