Microsoft Configuration Manager (SCCM) is not just a tool for installing updates. It is a platform for managing an enterprise’s information infrastructure in the broadest sense: it includes a repository of credentials and the ability to execute some code simultaneously on thousands of devices.
Therefore, when taken under control by attackers, SCCM becomes a real C2 for further attacks on the infrastructure. At the same time, the elevation of privileges on SCCM often goes undetected by traditional means of protection against malicious software.
For example, the logical vulnerability CVE-2025-47179 allows for full control over SCCM without using buffer overflows, injections, or authentication bypass. In this case, SCCM works strictly according to the rules that were built into it. The problem is this: the documented purpose of the role and its actual powers simply contradict each other.
Our experts detect such attacks using the SCCMInfo tool, which implements SCCM server monitoring through subscription to WMI events. In particular, when CVE-2025-47179 is being exploited, our tool will show such events as the creation by an unknown user with a limited role (CMPivot Administrator) of a new record of an administrative user and the assignment of the Full Administrator role to them.
The SCCMInfo utility also tracks several other classes of WMI events that can be signs of an attack, although they look like legitimate actions within the normal operation of SCCM - that’s why such attacks are not detected by traditional means of protection.
More details can be found in the article by Alexander Rodchenko and Gleb Ivanov “Role-playing games: when SCCM turns into C2”.
