CVE-2026-54117 – Microsoft SQL Server Remote Code Execution Vulnerability
“One compromised database account can become the key to controlling the entire SQL Server.”
A deserialization of untrusted data vulnerability in Microsoft SQL Server allows an authenticated attacker to execute code over a network. An attacker with explicit permissions can log in to the SQL Server and elevate privileges to sysadmin, potentially gaining full administrative control over the database environment.
CVSS Score: 8.8
SEVERITY: Critical
THREAT:
This vulnerability affects Microsoft SQL Server 2025 and allows an authenticated attacker with low privileges to execute code remotely. Successful exploitation can result in privilege escalation to sysadmin, enabling unauthorized access to databases, modification or deletion of critical information, deployment of malware, or further compromise of connected systems.
EXPLOITS:
The vulnerability was not publicly disclosed at the time of publication. Microsoft assesses exploitation as less likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the available information does not confirm the existence of publicly available proof-of-concept exploit code.
TECHNICAL SUMMARY:
The vulnerability is caused by deserialization of untrusted data (CWE-502) in Microsoft SQL Server. An authenticated attacker with explicit permissions can submit specially crafted serialized data that is improperly processed by the SQL Server. This can allow arbitrary code execution and privilege escalation to sysadmin. The CVSS v3.1 metrics identify a network attack vector, low attack complexity, low privileges required, and no user interaction. Successful exploitation has high impact on confidentiality, integrity, and availability.
EXPLOITABILITY:
Affected products include Microsoft SQL Server 2025 for x64-based Systems (CU6) and Microsoft SQL Server 2025 for x64-based Systems (GDR). Exploitation requires an authenticated attacker with explicit permissions to access the SQL Server, after which they may elevate privileges to sysadmin and execute arbitrary code.
BUSINESS IMPACT:
SQL Server environments often host business-critical applications and sensitive enterprise data. Successful exploitation could result in unauthorized access to confidential information, manipulation or destruction of business records, service outages, regulatory consequences, and broader compromise of enterprise infrastructure.
WORKAROUND:
No mitigations or workarounds are available. Organizations should install the appropriate SQL Server 2025 security update that matches their current servicing branch (GDR or CU).
URGENCY:
This vulnerability should be treated as a high priority because it is rated Critical with a CVSS v3.1 Base Score of 8.8. The flaw is remotely exploitable, requires no user interaction, and can allow an authenticated attacker to gain sysadmin privileges and execute arbitrary code on affected SQL Server systems.
Key Details
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- CWE Classification
- CWE-502