CVE-2024-43468

CRITICAL KEV

Microsoft Configuration Manager 2403, 2409, 2503 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-43468 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 12, 2026. EIP tracks 3 public exploits from researchers including synacktiv, nikallass, tadash10.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-43468, an unauthenticated SQL injection vulnerability in Microsoft Configuration Manager (SCCM). The exploit leverages crafted multipart requests to execute arbitrary SQL queries on the site database, potentially leading to remote code execution via `xp_cmdshell`.

Description

Microsoft Configuration Manager Remote Code Execution Vulnerability

Exploits (3)

nomisec WORKING POC 95 stars
by synacktiv · remote
https://github.com/synacktiv/CVE-2024-43468

This repository contains a functional exploit for CVE-2024-43468, an unauthenticated SQL injection vulnerability in Microsoft Configuration Manager (SCCM). The exploit leverages crafted multipart requests to execute arbitrary SQL queries on the site database, potentially leading to remote code execution via `xp_cmdshell`.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Configuration Manager (SCCM) versions < 2403 (5.00.9128.1024), < 2309 (5.00.9122.1033), < 2303 (5.00.9106.1037), and <= 2211
No auth needed
Prerequisites: Network access to a vulnerable SCCM Management Point · Optional: PKI certificate for mutual TLS if the Management Point is configured with HTTPS Only mode
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by nikallass · remote
https://github.com/nikallass/CVE-2024-43468_mTLS_go

This repository contains a Go-based exploit for CVE-2024-43468, targeting unauthenticated SQL injection in Microsoft Configuration Manager (SCCM). It leverages macOS Keychain for mTLS authentication and includes proxy support for evasion.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Configuration Manager (SCCM) versions < 2403, < 2309, < 2303, <= 2211
No auth needed
Prerequisites: Network access to SCCM Management Point · Client certificate in macOS Keychain · Go 1.16+
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github SCANNER
by tadash10 · pythonpoc
https://github.com/tadash10/Detailed-Analysis-and-Mitigation-Strategies-for-CVE-2024-38124-and-CVE-2024-43468

The repository contains Python scripts designed to monitor Windows event logs for suspicious activities related to CVE-2024-38124 and CVE-2024-43468, focusing on logon events and SCCM actions. It does not include exploit code but provides detection mechanisms.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Windows Event Logs (Security Log)
Auth required
Prerequisites: Access to Windows event logs · Administrative privileges to read Security logs
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.8311
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-02-12
VulnCheck KEV 2026-02-12
ENISA EUVD EUVD-2024-40737
CWE
CWE-89
Status published
Products (4)
microsoft/configuration_manager_2403
microsoft/configuration_manager_2409
microsoft/configuration_manager_2503
Microsoft/Microsoft Configuration Manager 1.0.0 - 5.00.9106
Published Oct 08, 2024
KEV Added Feb 12, 2026
Tracked Since Feb 18, 2026