CVE-2026-54118 – Microsoft SQL Server Remote Code Execution Vulnerability

CVSS 8.8 IMPORTANT Critical or Zero Day – Immediate Deployment

“A compromised SQL Server can put an organization’s most valuable data and critical operations directly in an attacker’s hands.”

A deserialization of untrusted data vulnerability in Microsoft SQL Server allows an authenticated attacker to execute code over a network. An attacker with explicit permissions can log in to the SQL Server and elevate privileges to sysadmin, potentially gaining broad control over the database environment and the underlying system.

CVSS Score: 8.8

SEVERITY: Critical

THREAT:
This vulnerability affects Microsoft SQL Server and allows an attacker with low privileges to execute code remotely after authenticating to the server. Successful exploitation could allow the attacker to elevate privileges to sysadmin, access sensitive databases, modify or delete records, disrupt services, or use the SQL Server as a foothold for broader attacks.

EXPLOITS:
The vulnerability was not publicly disclosed at the time of publication. Microsoft assesses exploitation as less likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the available information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by deserialization of untrusted data (CWE-502) in Microsoft SQL Server. An authenticated attacker with explicit permissions can submit malicious serialized data to the vulnerable component. Improper processing of that data can allow code execution and privilege elevation to sysadmin. The CVSS v3.1 metrics identify a network attack vector, low attack complexity, low privileges required, and no user interaction. Successful exploitation has high impact on confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected products include Microsoft SQL Server 2016 Service Pack 3, SQL Server 2016 Azure Connect Feature Pack, SQL Server 2017, SQL Server 2019, SQL Server 2022, and SQL Server 2025 across applicable GDR and CU servicing branches. Exploitation requires an authenticated attacker with explicit permissions to access the SQL Server. The attacker can then attempt to elevate privileges to sysadmin.

BUSINESS IMPACT:
SQL Server often stores financial records, customer information, operational data, and other sensitive business assets. Successful exploitation could result in unauthorized database access, data theft, record manipulation, service disruption, regulatory exposure, and compromise of connected applications or systems.

WORKAROUND:
No mitigations or workarounds are available. Organizations should use the update package that matches their current SQL Server servicing path. GDR installations should remain on the GDR path, while systems already using cumulative updates should use the applicable CU security update. Once an installation moves from GDR to CU, it cannot return to the GDR path.

URGENCY:
This vulnerability should be treated as a high priority because it is rated Critical with a CVSS v3.1 Base Score of 8.8. The flaw is remotely exploitable, has low attack complexity, requires no user interaction, and can allow an authenticated attacker to gain sysadmin privileges and execute code on affected SQL Server systems.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-502
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.