Summary: Researcher Mehdi Elyassa from Synacktiv disclosed a critical SQL injection vulnerability in Microsoft Configuration Manager (CVE-2024-43468) with a CVSS score of 9.8, allowing unauthenticated attacks that can execute arbitrary commands. The flaw exists in the MP_Location service, enabling attackers to gain sysadmin-level privileges and potentially achieve full control over the deployment environment. Microsoft released patches in October 2024, and organizations are advised to implement these urgently to mitigate risks.
Affected: Microsoft Configuration Manager (MCM)
Keypoints :
- Vulnerability allows unauthenticated SQL injection attacks enabling arbitrary command execution.
- Exploitation may result in full compromise of the Configuration Manager deployment and database access.
- Organizations are advised to apply patches released in October 2024 to prevent potential exploitation.