What happened

CISA added CVE-2024-43468 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-02-12, signaling observed exploitation and mandating remediation by federal agencies. This entry covers Microsoft Configuration Manager and is due by 2026-03-05 per CISA’s directive (CISA KEV catalog) CISA KEV.

The vulnerability is described as a SQL injection flaw in Microsoft Configuration Manager that can be exploited by an unauthenticated attacker via specially crafted requests processed in an unsafe manner, enabling command execution on the server and/or the underlying database (NVD) NVD: CVE-2024-43468. The flaw is mapped to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (MITRE CVE record) MITRE: CVE-2024-43468.

CISA’s listing requires asset owners to apply vendor mitigations or discontinue use if mitigations are unavailable, aligning with broader federal remediation policy (CISA KEV) CISA KEV.

Why it matters

Being in KEV means exploitation is confirmed somewhere in the wild, which changes this from a theoretical weakness to an active operational risk (CISA KEV) CISA KEV. The core risk here is pre-auth impact: an unauthenticated adversary can trigger unsafe input handling to run commands against the server or its database, raising immediate integrity and availability concerns (NVD) NVD: CVE-2024-43468.

CISA also notes ransomware campaign use is currently unknown for this CVE, but the KEV designation alone sets a high priority bar for remediation and monitoring (CISA KEV) CISA KEV.

Technical detail

The vulnerability is a SQL injection (CWE-89) in Microsoft Configuration Manager where specially crafted attacker-supplied requests are processed in an unsafe manner (MITRE) MITRE: CVE-2024-43468. Because the flaw is reachable without authentication, exploitation can begin at the network boundary reachable by the service, rather than requiring valid credentials (NVD) NVD: CVE-2024-43468.

Impact is explicitly stated as the ability to execute commands on the server and/or the underlying database, indicating not just data exposure but active manipulation and system control potential (NVD) NVD: CVE-2024-43468. The CWE-89 mapping underscores that the root cause is lack of proper neutralization of special elements used in SQL queries, a classic injection pathway (MITRE) MITRE: CVE-2024-43468.

CISA’s KEV inclusion date (2026-02-12) and required due date (2026-03-05) quantify the urgency and align with federal remediation SLAs for known exploited issues (CISA KEV) CISA KEV.

Defense

CISA’s required action is unambiguous: apply mitigations per vendor instructions; if mitigations are unavailable, follow applicable BOD 22-01 guidance for cloud services or discontinue use of the product (CISA KEV) CISA KEV. Federal agencies are required to remediate by the KEV due date of 2026-03-05; private sector should follow the same priority given active exploitation (CISA KEV) CISA KEV.

Because the vulnerability is pre-auth and tied to unsafe request processing, defenders should treat internet-reachable instances with maximum urgency and verify controls that block or sanitize malicious SQL payloads consistent with CWE-89 class issues (NVD) NVD: CVE-2024-43468. After mitigation, continue monitoring for attempts consistent with SQL injection probes against Microsoft Configuration Manager, given the KEV status indicates active attacker interest (CISA KEV) CISA KEV.

Where feasible, stage mitigations in a controlled rollout with validation that the vulnerable request paths are neutralized and that no command execution pathways remain against the server or database (NVD) NVD: CVE-2024-43468.

Lyrie Verdict

CVE-2024-43468 is pre-auth SQL injection with command execution impact against a high-value management service, and it’s already in KEV—treat it as live fire (CISA KEV) CISA KEV. Lyrie’s position: don’t wait for tickets. We auto-hunt for SQLi-shaped payloads and anomalous input patterns targeting Configuration Manager endpoints and flag/contain requests matching CWE-89 behaviors at machine speed, mapped directly to the CVE signal from NVD/MITRE (NVD; MITRE) NVD: CVE-2024-43468 MITRE: CVE-2024-43468. That means pre-auth exploitation attempts are suppressed and bubbled for verification without waiting on human triage, while remediation progress is tracked against the KEV due date until the service is clean (CISA KEV) CISA KEV.