Microsoft Configuration Manager Remote Code Execution Vulnerability
Released: Oct 8, 2024
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2024-43468
- Impact
- Remote Code Execution
- Max Severity
- Critical
- Weakness
- CVSS Source
- Microsoft
- Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Metrics
- CVSS:3.1 9.8 / 8.5Base score metrics: 9.8 / Temporal score metrics: 8.5
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Exploit Code Maturity
Unproven
Remediation Level
Official Fix
Report Confidence
Confirmed
Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
FAQ
How could an attacker exploit this vulnerability?
An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.
What actions do customers need to take to protect themselves from this vulnerability?
Customers using a version of Configuration Manager specified in the Security Updates table of this CVE need to install an in-console update to be protected. Guidance for how to install Configuration Manager in-console updates is available here: Install in-console updates for Configuration Manager.
Acknowledgements
- Mehdi Elyassa with Synacktiv
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- 5.00.9128
- 5.00.9122
- 5.00.9106
Disclaimer
Revisions
Information published.