By Jessica Lyons
Publication Date: 2026-02-13 18:45:00
Ignore patches at your own risk. According to Uncle Sam, a SQL injection flaw in Microsoft Configuration Manager patched in October 2024 is now being actively exploited, exposing unpatched businesses and government agencies to attack.
The US Cybersecurity and Infrastructure Security Agency added CVE-2024-43468 to its Known Exploited Vulnerabilities catalog on Thursday, setting a March 5 deadline for federal agencies to deploy the patch.
The 9.8-rated SQL injection vulnerability exists in Microsoft Configuration Manager, which IT admins use to manage organizations’ Windows-based servers and laptops. And it allows unauthenticated, remote attackers to execute commands on the server and/or underlying database. It’s a very serious flaw that needs to be fixed ASAP – or 16 months ago.
Mehdi Elyassa, a red teamer at French cybersecurity firm Synacktiv, found and reported the bug to Microsoft. The Register reached out…
