CVE-2025-47178
published 2025-07-08CVE-2025-47178: Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to…
PriorityP354high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
EPSS
2.04%
78.7th percentile
Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to execute code over an adjacent network.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | configuration_manager_2503 | < 5.00.9135.1003 | 5.00.9135.1003 |
| microsoft | microsoft_configuration_manager | >= 1.0.0 < 5.00.9135.1003 | 5.00.9135.1003 |
| msrc | microsoft_configuration_manager_2503 | — | — |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft Configuration Manager Remote Code Execution Vulnerability
vendor_msrc·2025-07-08·CVSS 8.0
CVE-2025-47178 [HIGH] CWE-89 Microsoft Configuration Manager Remote Code Execution Vulnerability
Microsoft Configuration Manager Remote Code Execution Vulnerability
Description: Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to execute code over an adjacent network.
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
Successful exploitation of this vulnerability simply requires the attacker or targeted user to leverage a Microsoft Access application to automatically talk to a SQL Server while utilizing a remote SQL Server address that they control.
FAQ: How could an attacker exploit this vulnerability?
An authenticated attacker can run arbitrary SQL queries as the SMS service (with sysadmin privileges). Since the inject
GHSA
GHSA-m728-x6w3-mc25: Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker
ghsa_unreviewed·2025-07-08
CVE-2025-47178 [HIGH] CWE-89 GHSA-m728-x6w3-mc25: Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker
Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to execute code over an adjacent network.
No detection rules found.
No public exploits indexed.
Krebs
Microsoft Patch Tuesday, July 2025 Edition
blogs_krebs·2025-07-09·CVSS 9.8
CVE-2025-49719 [CRITICAL] Microsoft Patch Tuesday, July 2025 Edition
Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.
While not listed as critical, CVE-2025-49719 is a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises.
Mike Walters , co-founder of Acti
Krebs
Microsoft Patch Tuesday, July 2025 Edition
blogs_krebs·2025-07-08·CVSS 9.8
CVE-2025-49719 [CRITICAL] Microsoft Patch Tuesday, July 2025 Edition
Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.
While not listed as critical, CVE-2025-49719 is a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises.
Mike Walters, co-founder of Actio
2025-07-08
Published