Impact
The vulnerability is an improper access control flaw in Microsoft SQL Server that allows an authorized user with limited privileges to gain higher level permissions over the network. It is a CWE-284 (Improper Privilege Management) issue. Once exploited, the attacker can perform administrative actions, access sensitive data, modify schema, or execute arbitrary commands, thereby compromising confidentiality, integrity, and availability of the database instance.
Affected Systems
Microsoft SQL Server 2016 Service Pack 3 and its Azure Connect Feature Pack; SQL Server 2017 versions CU 31 and GDR; SQL Server 2019 versions CU 32 and GDR; SQL Server 2022 versions GDR and CU 23 (x64); SQL Server 2025 versions CU 2 and GDR (x64). All listed builds are vulnerable according to Microsoft’s advisory.
Risk and Exploitability
The flaw carries a CVSS v3.1 score of 8.8, which is considered high severity. The EPSS score of 2% indicates a low but non‑zero probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be network‑based, requiring the attacker to have network access to the SQL Server instance and be authorized with a user account that has some privileges, but it does not require local physical or administrative access. If exploited, the attacker can elevate to administrative privileges, gain access to all database objects, and potentially impact downstream applications.
OpenCVE Enrichment