Urgent Security Alert: Microsoft Configuration Manager Flaw Under Active Exploitation

Federal agencies have until March 5 to patch a critical SQL injection vulnerability in Microsoft Configuration Manager, as the flaw is now being actively exploited by attackers.

A serious security vulnerability in Microsoft Configuration Manager is currently being exploited, putting unpatched organizations – including government agencies – at significant risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability, identified as CVE-2024-43468, to its Known Exploited Vulnerabilities catalog on Thursday, February 22, 2024, issuing a firm deadline of March 5 for federal agencies to implement the available patch.

The vulnerability, rated 9.8 out of 10 for severity, resides within Microsoft Configuration Manager, a widely used tool for IT administrators to manage Windows-based servers and laptops. According to security researchers, the flaw allows unauthenticated, remote attackers to execute commands on the server and/or the underlying database. This presents a substantial threat, as it grants malicious actors potentially complete control over affected systems.

The vulnerability was initially discovered and reported to Microsoft by Mehdi Elyassa, a “red teamer” at French cybersecurity firm Synacktiv. While Microsoft initially assessed the risk as “exploitation less likely” when the bug was first disclosed in October 2024, the publication of at least two proof-of-concept exploits has dramatically shifted the threat landscape.

“You really should drop everything else and patch this bug before taking off for the long Presidents’ Day weekend,” one security analyst warned.

Currently, CISA states it is “unknown” whether the vulnerability has been leveraged in ransomware attacks. However, the agency’s rapid response and the March 5 deadline underscore the seriousness of the situation. Microsoft has yet to publicly disclose details regarding the actors exploiting the vulnerability or the extent of the impact. The Register reached out to Microsoft for comment but did not receive an immediate response.

This alert comes amidst a flurry of security updates from Microsoft. On Tuesday, February 20, 2024, the company released 59 new Common Vulnerabilities and Exposures (CVEs), six of which were already being exploited prior to the patch release. Microsoft has a history of providing limited details regarding the specifics of these attacks, leaving the security community to piece together the puzzle. Three of the six pre-exploited CVEs are also publicly disclosed, meaning proof-of-concept exploits are readily available, increasing the likelihood of widespread attacks.

The situation highlights the critical importance of proactive patching and diligent security practices. Organizations are urged to prioritize the deployment of the patch for CVE-2024-43468 and to remain vigilant against potential exploitation attempts. The current environment suggests that waiting 16 months to address this flaw, as the initial assessment implied, is a risk no organization can afford to take. ®