CVE-2025-55320

MEDIUM

Microsoft Configuration Manager - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-55320. PoCs published by synacktiv.

AI-analyzed exploit summary This PoC exploits CVE-2025-55320, a SQL injection vulnerability in Microsoft SCCM's AdminService WMI endpoint. It leverages NTLM authentication to execute arbitrary SQL queries via the SMS_MDMAppleVppToken.SyncToken method.

Description

Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to elevate privileges over an adjacent network.

Exploits (1)

nomisec WORKING POC
by synacktiv · poc
https://github.com/synacktiv/CVE-2025-55320

This PoC exploits CVE-2025-55320, a SQL injection vulnerability in Microsoft SCCM's AdminService WMI endpoint. It leverages NTLM authentication to execute arbitrary SQL queries via the SMS_MDMAppleVppToken.SyncToken method.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Microsoft System Center Configuration Manager (SCCM)
Auth required
Prerequisites: Valid SCCM credentials or NTLM hashes · Access to the AdminService WMI endpoint · Operations Administrator role
devstral-2 · analyzed Apr 14, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 6.8
EPSS 0.0062
EPSS Percentile 45.0%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (3)
microsoft/configuration_manager_2403 < 5.00.9128.1035
microsoft/configuration_manager_2409 < 5.00.9132.1029
microsoft/configuration_manager_2503 < 5.00.9135.1008
Published Oct 14, 2025
Tracked Since Feb 18, 2026