The vulnerability is caused by improper validation of a specific type of input in Microsoft SQL Server. As a result, an attacker who already has authorized access to a network can elevate their privileges to a higher level. This represents a classic privilege‑escalation flaw where the attacker could potentially gain administrative rights or perform actions beyond their intended scope. The weakness is identified as CWE‑1287, which describes an authorization bypass through user-controlled keys or validation errors.

Affected systems include Microsoft SQL Server 2016 Service Pack 3 (GDR and Azure Connect Feature Pack), Microsoft SQL Server 2017 (CU 31 and GDR), Microsoft SQL Server 2019 (CU 32 and GDR), Microsoft SQL Server 2022 (GDR and CU 23 for x64‑based systems), and Microsoft SQL Server 2025 (CU 2 and GDR for x64‑based systems). Specific version details are not provided in the CNA affected version list, but the product names and service pack levels listed above are the affected configurations. The Common Platform Enumeration strings confirm coverage across multiple SQL Server releases on x64 platforms.

The CVSS score of 8.8 labels this a high‑severity vulnerability, indicating a significant impact if successfully exploited. The EPSS score of less than 1% suggests that exploitation is currently improbable, and the vulnerability is not catalogued in the CISA KEV repository. Attackers would need existing authorized network access to the SQL Server instance and would exploit the faulty input validation to raise their privileges. Because the attack vector requires local or network-level credentials, the exploitation conditions are relatively constrained compared to remote code execution flaws.