Microsoft has released the KB33926600 hotfix for SCCM versions 2403 and 2409 on July 30, 2025, addressing the vulnerability outlined in CVE-2025-47178. This same update is included with Configuration Manager current branch, version 2503.
The CVE-2025-47178 is a security vulnerability that allows for SQL injection attacks due to improper neutralization of special elements used in SQL commands. An authenticated attacker can run arbitrary SQL queries as the SMS service (with sysadmin privileges). To mitigate this security issue, you must install the KB 33926600 update for SCCM.
Important Notes
The security update KB33926600 does not require a computer restart but does necessitate a site reset following installation. However, during testing in my lab, the site reset did not occur after applying the hotfix. I will monitor further to confirm if the reset eventually takes place.
Use the below links to read documentation about this hotfix and the associated CVE.
- KB 33926600: https://learn.microsoft.com/en-us/intune/configmgr/hotfix/2409/33926600
- CVE-2025-47178: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47178
Hotfix KB33926600 missing in console
This is important, if you don’t find the KB33926600 security update in your Configuration Manager console for version 2403 and 2409 environments, make sure you have the following updates applied.
- 2403: KB28204160 update rollup for Configuration Manager version 2403
- 2409: KB30385346 update rollup for Configuration Manager version 2409
Install KB33926600 Hotfix for SCCM
Launch the Configuration Manager console on the server. Navigate to Administration\Overview\Updates and Servicing. Right-click Configuration Manager Hotfix Update (KB33926600) and select ‘Install Update Pack.’
It is highly recommended that you run a prerequisite check for this update on your production server before installing it. For lab environments, you can enable the option “Ignore any prerequisite check warnings and install the update.” Click Next.
Accept the license terms for installing the hotfix. Click Next. Review the hotfix configurations on the Summary page and click Next. Close the Configuration Manager updates wizard. The hotfix installation begins now.
SMS Provider Updates
The hotfix doesn’t include updates for console or client agent. It contains only site server updates, so the SMS Provider (smsprov.dll) is updated to the following versions.
| CM Version | SMS Provider details |
|---|---|
| 2403 | 5.00.9128.1034 |
| 2409 | 5.00.9132.1028 |
In the below screenshot, we see KB33926600 installation has updated the version of SMSProv.dll to 5.00.9128.1034.
Monitoring the Hotfix KB33926600 Installation
While the hotfix installation is in progress, you can navigate to Monitoring\Overview\Updates and Servicing Status to see the detailed installation status for the update. If the hotfix fails to install, this section will show you the exact step where the update failed. Another way to track the hotfix installation is by reviewing the cmupdate.log file.
The KB33926600 update required a total of 14 minutes to install on the 2403 server, and there were no errors encountered at any point in the installation process. You don’t have to restart your server after the installation of this update.
Updating KB33926600 on Secondary Sites
After you’ve installed the hotfix rollup update KB33926600 on a primary site, pre-existing secondary sites must be manually updated. Read more about secondary site installation in SCCM to get an idea of how to install secondary sites in SCCM.
To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')- If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
- If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.
>The security update KB33926600 does not require a computer restart but does necessitate a >site reset following installation. However, during testing in my lab, the site reset did not occur >after applying the hotfix. I will monitor further to confirm if the reset eventually takes place.
why should be done automatically when MS says you should do it manually after installing the KB and how can you say @Reddit thats not necessary? How will you know that?
Regards,
Sascha
I have seen instances where a site reset was done even though the documentation mentioned that it doesn’t happen. I basically rely on my own testing and like to confirm things even though its documented/not documented.