Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable deserialization needing a low-privilege login (PR:L) and no user interaction, yielding RCE with full C/I/A impact in the service context; scope unchanged.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft SQL Server 2025 (CU6 and the x64 GDR branch) lets an authenticated attacker run arbitrary code across the network by supplying maliciously crafted serialized data that the server deserializes without validation (CWE-502). The flaw was reported by Microsoft, carries a CVSS 3.1 base score of 8.8, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess a valid low-privileged authenticated SQL Server login (CVSS PR:L) and network reachability to the instance (AV:N, typically TCP 1433); no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H describes a network-reachable (AV:N), low-complexity (AC:L) attack that requires low privileges (PR:L) and no user interaction (UI:N), with high impact to confidentiality, integrity, and availability - a score of 8.8 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privilege SQL Server login - for example via a compromised application connection string or a leaked service credential - sends a crafted request containing a malicious serialized object to the network-exposed instance. When SQL Server deserializes the untrusted data, the object graph triggers execution of attacker-controlled code in the context of the database service, giving the attacker a foothold with the service account's privileges. … |
| Remediation | Apply the vendor update: a patch is available per the Microsoft advisory, so install the fixed CU6/GDR build for Microsoft SQL Server 2025 as documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54117 (consult the MSRC page for the exact patched build number matching your servicing branch - CU versus GDR). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Microsoft SQL Server 2025 instances, specifically identifying which are running CU6 or the x64 GDR branch, and assess network accessibility and credential exposure risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated, low-privileged attacker t
Privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated attacker to inject crafted S
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user
Type confusion (CWE-843) in Microsoft SQL Server 2025 enables authenticated, low-privileged network attackers to disclos
Buffer over-read in Microsoft SQL Server 2025 exposes server memory contents to low-privileged authenticated attackers o
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44031
GHSA-hx3c-jrf3-3m7r