Critical Microsoft bug from 2024 under exploitation • The Register

Ignore patches at your own risk. According to Uncle Sam, a SQL injection flaw in Microsoft Configuration Manager patched in October 2024 is now being actively exploited, exposing unpatched businesses and government agencies to attack.

The US Cybersecurity and Infrastructure Security Agency added CVE-2024-43468 to its Known Exploited Vulnerabilities catalog on Thursday, setting a March 5 deadline for federal agencies to deploy the patch.

The 9.8-rated SQL injection vulnerability exists in Microsoft Configuration Manager, which IT admins use to manage organizations’ Windows-based servers and laptops. And it allows unauthenticated, remote attackers to execute commands on the server and/or underlying database. It’s a very serious flaw that needs to be fixed ASAP – or 16 months ago.

Mehdi Elyassa, a red teamer at French cybersecurity firm Synacktiv, found and reported the bug to Microsoft. The Register reached out to Microsoft for comment, but did not immediately receive responses to our questions, so we don’t know who is battering this bug or how many customers are affected. We will update this story when we hear back.

CISA says it’s “unknown” if this CVE has been abused in ransomware attacks.

When it originally disclosed the bug in October 2024, Microsoft deemed it “exploitation less likely,” and the Windows vendor’s security update still lists that vulnerability as not being under attack. Since that time, however, at least two proof-of-concept exploits have been published, so you really should drop everything else and patch this bug before taking off for the long Presidents’ Day weekend.

We’re sincerely hoping that all Microsoft admins, or at least those in the US, enjoy the Monday holiday after what has been a very busy second week of February.

On Tuesday, Redmond gifted them with 59 new CVEs, six of which had already been exploited before Microsoft issued a patch.

Per usual, Microsoft did not provide additional details about who attacked these six flaws and how widespread exploitation may be. 

Three of the six, however, are also listed as publicly disclosed – meaning there may already be proof-of-concept exploits available. So it’s likely we’ll hear about these CVEs under attack soon, and not a year and a half from now. ®