CVE-2025-47178: 
vulnerability analysis and mitigation

CVE-2025-47178 is a SQL injection vulnerability discovered in Microsoft Configuration Manager, disclosed on July 8, 2025. This security flaw affects Microsoft Configuration Manager versions up to (excluding) 5.00.9135.1003, allowing an authorized attacker to execute code over an adjacent network (NVD, Krebs).

The vulnerability is classified as an improper neutralization of special elements used in an SQL command (SQL injection) with a CVSS v3.1 base score of 8.0 (HIGH). The attack vector is adjacent network (AV:A), with low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

The vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager. This access can be leveraged to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment (Krebs).

Microsoft has released security updates to address this vulnerability as part of the July 2025 Patch Tuesday. Organizations using Microsoft Configuration Manager should update to version 5.00.9135.1003 or later to protect against this vulnerability (NVD).