CVE-2024-43468

Analyzed
Published: 08 Oct 2024, 17:35
Last modified:12 Feb 2026, 23:20

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (cve.org)
EPSS Score
85.1% CRITICAL
85% probability +15.72%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

08 Oct 2024, 17:35
Published
Vulnerability first disclosed
12 Feb 2026, 00:00
Added to CISA KEV
Microsoft Configuration Manager SQL Injection Vulnerability
12 Feb 2026, 23:20
Last Modified
Vulnerability information updated
05 Mar 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Microsoft Configuration Manager Remote Code Execution Vulnerability

CVSS Metrics

  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 85.10% Percentile: 99%

Techniques & Countermeasures

  • CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

    The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Affected Systems

  • UnknownConfiguration Manager

    2303 | 2309 | 2403

  • microsoftconfiguration_manager_2403

    na

  • microsoftconfiguration_manager_2409

    na

  • microsoftconfiguration_manager_2503

    na

  • microsoftmicrosoft configuration manager

    ≥ 1.0.0, < 5.00.9106

References (2)