Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable database with low-complexity exploit needing an authenticated low-privilege login (PR:L), no user interaction, yielding full RCE and high C/I/A impact.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated, low-privileged attacker to run arbitrary code on the database server by sending crafted data that the engine deserializes unsafely (CWE-502). Any account able to submit queries or data over the network to a vulnerable instance can achieve full compromise of confidentiality, integrity, and availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to a SQL Server instance (TDS/port 1433 by default) and a valid authenticated database login, consistent with PR:L in the CVSS vector - the description's phrase 'authorized attacker' confirms credentials are mandatory, which is the principal limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 8.8) describes network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, yielding full high impact on all three security properties - a serious profile because most SQL Server deployments grant query access to numerous application and user accounts, so the PR:L barrier is low in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or phishes any low-privileged SQL Server login connects over the network and submits specially crafted data that the engine deserializes, triggering a gadget chain that executes attacker code in the SQL Server service context. Given AV:N/AC:L, the request is straightforward and needs no user interaction, so a single compromised application service account could pivot to full server takeover. … |
| Remediation | Patch available per vendor advisory: apply the SQL Server security update for your branch (2016 SP3, 2017, 2019, 2022, or 2025) via the GDR or CU servicing train you are on, following the build-specific fixed versions listed in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54118 - choose the GDR update if you apply security-only fixes or the corresponding cumulative update (e.g., CU 31/CU 32/CU 25/CU 6) if you are on the CU train. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all SQL Server instances running versions 2016 SP3 through 2025 and prioritize identifying production systems; restrict database access during this period to only essential trusted user accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated attacker to inject crafted S
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges loca
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges loca
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44032
GHSA-c2qv-v7mm-7vwh