Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to execute code over an adjacent network.
According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Successful exploitation of this vulnerability simply requires the attacker or targeted user to leverage a Microsoft Access application to automatically talk to a SQL Server while utilizing a remote SQL Server address that they control. How could an attacker exploit this vulnerability? An authenticated attacker can run arbitrary SQL queries as the SMS service (with sysadmin privileges). Since the injection happens during a user permission check, even users with read-only RBAC roles can exploit it. Any local SMS Admins group member on the SMS Provider host can also take advantage of this vulnerability.
Maturity: Exploit
<a href="https://twitter.com/kalimer0x00">Mehdi Elyassa</a> with <a href="https://www.synacktiv.com/">Synacktiv</a>