CISA warns critical vulnerability in Microsoft Configuration Manager already exploited

The US Cybersecurity and Infrastructure Agency. US (CISA) has given an alarm touch: it has demanded federal agencies to ensure their environments in the face of critical vulnerability in Microsoft Configuration Manager (also known as ConfigMgr, formerly SCCM) that was corrected in October 2024 but is now being used in real attacks.

ConfigMgr is a key piece in many companies and agencies: serves to deploy patches, distribute software and centrally manage hundreds or thousands of Windows equipment and servers. This control capacity makes the platform a particularly attractive target for attackers, because compromising it can allow you to run code with the highest privileges over managed systems and the site database.

The failure, recorded as CVE-2024-43468, is an SQL injection that, according to the original report of the Synacktiv security company, can be exploited without having to be authenticated in the system. In practice, this means that a manipulated request can cause the execution of commands on the server or directly against the Configuration Manager site database, with potentially devastating effect on the integrity and availability of the environment.

Microsoft published an update in October 2024 to correct vulnerability and at that time assessed the probability of exploitation as low, pointing out that the development of an effective explosion would require expertise or complex synchronization. However, the situation changed when Synacktiv published, in late November 2024, concept test code in its public repository. The release of PoC reduces the technical barrier for malicious actors and increases the practical risk of attacks.

In the face of this, CISA has included vulnerability in its catalogue of actively exploited vulnerabilities and issued an order that requires the agencies of the Federal Executive to apply patches or mitigations before 5 March 2026, according to the BAD 22-01. The body warns that these types of failures are common means of attack and their exploitation represents significant risks to the security of the US public sector. Although the directive only obliges federal agencies, CISA recommends that all organizations - including the private sector - act with the same urgency.

Microsoft keeps its security documentation on the failure in its update guide; it is the reference to apply the official patches and mitigations: Microsoft guide to CVE-2024-43468. In addition, Synacktiv's technical report and advice provide details of the origin and operation that can be useful for response and detection equipment: advisory opinion of Synacktiv.

Why is it particularly worrying? Because ConfigMgr controls critical elements of infrastructure: deploying an explosion there can give an attacker the ability to run commands with high privileges, distribute malware or alter policies on a lot of equipment in a few minutes. The existence of a public PoC accelerates test campaigns by unsophisticated actors and increases the likelihood of late detections by defence teams.

For those who manage environments with Configuration Manager, the immediate priority is to apply the updates published by Microsoft. If for operational reasons it is not possible to update immediately, CISA and Microsoft recommend implementing the mitigation that the supplier describes. In addition, it is prudent to strengthen detection and containment measures: to review server and site database logs in search of unusual consultations, to monitor account activity with privileges, to restrict access to administrative consoles from external networks and to segment the network to limit the scope of a possible commitment.

It is important to note that the concept test code published by Synacktiv can be studied by security teams for defensive purposes, but can also be reused by malicious actors. This is why it is recommended to analyse it only in controlled and isolated environments and to coordinate the technical response with the security teams and the supplier.

The situation illustrates a recurring lesson: the cycle between the publication of a patch and mass exploitation can be drastically shortened when public PoC appears. That's why. the speed of implementing updates and launching proven mitigation is now an operational requirement, not an option. Managers who manage ConfigMgr should act urgently and document the measures taken; third-party-dependent organizations should ensure that these suppliers have also patched their systems.

If you want to confirm the status of the inclusion of vulnerability in the list of exploited by CISA or consult the official resources, you can see the entry in the CISA catalogue: CVE-2024-43468 in the CISA catalogue. To follow the technical guide and supplier updates, the Microsoft page is the starting point: Microsoft guide. And if you need to understand the discovery and the PoC, the initial analysis is in Synacktiv's notice and its repository: advisory and PoC in GitHub.

The final, clear and practical recommendation: check today if your Configuration Manager instances are patched, apply official mitigations if you can't update immediately and increase detection surveillance until the threat is neutralized.