Skip to main content

Microsoft SQL Server CVE-2026-54117

| EUVDEUVD-2026-44031 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-14 microsoft GHSA-hx3c-jrf3-3m7r
8.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
8.8 HIGH

Network-reachable deserialization needing a low-privilege login (PR:L) and no user interaction, yielding RCE with full C/I/A impact in the service context; scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 18:10 vuln.today
CVE Published
Jul 14, 2026 - 17:05 nvd
HIGH 8.8

DescriptionCVE.org

Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft SQL Server 2025 (CU6 and the x64 GDR branch) lets an authenticated attacker run arbitrary code across the network by supplying maliciously crafted serialized data that the server deserializes without validation (CWE-502). The flaw was reported by Microsoft, carries a CVSS 3.1 base score of 8.8, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege SQL login
Delivery
Reach SQL Server over network (1433)
Exploit
Submit crafted serialized payload
Execution
Server deserializes untrusted data
Impact
Execute code as service account

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess a valid low-privileged authenticated SQL Server login (CVSS PR:L) and network reachability to the instance (AV:N, typically TCP 1433); no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H describes a network-reachable (AV:N), low-complexity (AC:L) attack that requires low privileges (PR:L) and no user interaction (UI:N), with high impact to confidentiality, integrity, and availability - a score of 8.8 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privilege SQL Server login - for example via a compromised application connection string or a leaked service credential - sends a crafted request containing a malicious serialized object to the network-exposed instance. When SQL Server deserializes the untrusted data, the object graph triggers execution of attacker-controlled code in the context of the database service, giving the attacker a foothold with the service account's privileges. …
Remediation Apply the vendor update: a patch is available per the Microsoft advisory, so install the fixed CU6/GDR build for Microsoft SQL Server 2025 as documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54117 (consult the MSRC page for the exact patched build number matching your servicing branch - CU versus GDR). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Microsoft SQL Server 2025 instances, specifically identifying which are running CU6 or the x64 GDR branch, and assess network accessibility and credential exposure risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy