The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stern warning regarding actively exploited vulnerabilities affecting both Zimbra and Microsoft SharePoint. These critical flaws, if left unaddressed, pose significant risks to organizations, potentially allowing attackers to gain unauthorized access and execute malicious code. CISA is urging all federal agencies and private sector entities to prioritize patching and mitigation efforts immediately.

Key Takeaways

• CISA has identified actively exploited vulnerabilities in Zimbra and Microsoft SharePoint.

• A critical flaw in Microsoft Configuration Manager (CVE-2024-43468) is being actively exploited.

• Federal agencies are mandated to patch the Microsoft Configuration Manager vulnerability by March 5th.

• The vulnerability allows unauthenticated attackers to achieve remote code execution.

• CISA encourages all organizations, including those in the private sector, to apply mitigations promptly.

Exploited Microsoft Configuration Manager Flaw

CISA has officially added a critical vulnerability in Microsoft Configuration Manager (ConfigMgr), formerly known as SCCM, to its Known Exploited Vulnerabilities catalog. This flaw, tracked as CVE-2024-43468, is a SQL injection vulnerability that allows remote attackers with no prior privileges to execute arbitrary commands with the highest level of authority on the affected server and its underlying database.

Microsoft initially patched this vulnerability in October 2024, classifying the exploitation risk as "Less Likely" due to the perceived difficulty in crafting exploit code. However, security researchers from Synacktiv released proof-of-concept exploit code for CVE-2024-43468 on November 26th, 2024, nearly two months after the patch was made available. This release has evidently led to its active exploitation in the wild.

CISA's Directive and Broader Implications

In response to the active exploitation, CISA has mandated that U.S. Federal Civilian Executive Branch (FCEB) agencies must secure their systems against CVE-2024-43468 by March 5th, as per Binding Operational Directive (BOD) 22-01. CISA emphasized that such vulnerabilities are common attack vectors for malicious actors and present substantial risks to the federal enterprise.

While BOD 22-01 specifically targets federal agencies, CISA strongly advises all network defenders, including those in the private sector, to implement the necessary mitigations or discontinue the use of the affected product if patches are unavailable. The agency stresses the importance of applying vendor-provided fixes and following guidance for cloud services to protect against these ongoing attacks.

Sources

• CISA flags critical Microsoft SCCM flaw as exploited in attacks, BleepingComputer.