Urgent: CISA Confirms Active Attacks Exploiting Critical Microsoft SCCM Flaw
▼ Summary
– CISA has ordered U.S. federal agencies to patch a critical Microsoft Configuration Manager vulnerability, tracked as CVE-2024-43468, by March 5th.
– This SQL injection flaw allows unauthenticated attackers to remotely execute arbitrary commands with the highest privileges on servers and databases.
– Microsoft originally assessed exploitation as unlikely but patched the vulnerability in October 2024.
– Proof-of-concept exploit code was publicly released in November 2024, and CISA now confirms the vulnerability is actively exploited.
– While the directive targets federal agencies, CISA urges all organizations to apply mitigations immediately due to the significant risk.
A critical vulnerability within Microsoft Configuration Manager, a widely used IT administration tool, is now under active exploitation, prompting urgent action from federal agencies and private sector organizations alike. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all Federal Civilian Executive Branch agencies apply security patches by March 5th to counter the threat. This directive follows the public release of proof-of-concept exploit code, transforming a theoretical risk into a tangible and immediate danger for unpatched systems.
The flaw, identified as CVE-2024-43468, is a severe SQL injection vulnerability discovered by researchers at Synacktiv. It enables a remote attacker with no prior authentication to execute arbitrary code on the target server. Successful exploitation grants the attacker the highest level of privileges, allowing them to run commands on the server itself and potentially compromise the underlying Microsoft Configuration Manager site database. Microsoft initially assessed the bug as difficult to exploit, but that assessment changed dramatically with the publication of functional exploit code in late November 2024.
Microsoft Configuration Manager, formerly known as System Center Configuration Manager (SCCM), is a cornerstone tool for managing large deployments of Windows-based computers and servers. Its central role in IT infrastructure makes it a high-value target for cybercriminals. An attack against this system can provide a foothold for widespread network compromise, data theft, or ransomware deployment. CISA has now officially added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming that malicious actors are actively leveraging it in real-world attacks.
The agency’s Binding Operational Directive (BOD) 22-01 provides the legal framework for the patching deadline imposed on federal agencies. CISA emphasized that such vulnerabilities are common entry points for threat actors and represent a severe risk to organizational security. While the directive formally applies only to federal bodies, CISA strongly urges all organizations using Microsoft Configuration Manager to prioritize patching immediately. The public availability of exploit code significantly lowers the barrier for attackers, making unpatched systems vulnerable to opportunistic scanning and compromise.
Security teams are advised to apply the relevant security updates Microsoft issued in October 2024 without delay. For environments where immediate patching is not feasible, administrators should consult Microsoft’s mitigation guidance. As a last resort, if mitigations cannot be implemented, CISA recommends discontinuing the use of the affected product to eliminate the risk. Proactive network monitoring for unusual SQL query activity or unauthorized access attempts targeting Configuration Manager servers is also a prudent defensive measure during this period of heightened threat.
(Source: Bleeping Computer)
