CVE-2026-54117: Microsoft SQL Server Remote Code Execution Vulnerability

Overview

Severity
High (CVSS 8.8)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category
Remote Code Execution
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2026-Jul
Released
2026-07-14

Description

Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network.

FAQ

How could an attacker exploit this vulnerability? An authenticated attacker with explicit permissions could exploit the vulnerability by logging in to the SQL server and could then elevate their privileges to sysadmin. According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use? First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components. Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install. Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates. Update Number Title Version Apply if current product version is… This security update also includes servicing releases up through… 5101346 Security update for SQL Server 2025 CU6+GDR 17.0.4060.2 17.0.4006.2 - 17.0.4055.5 KB5093421 - Previous SQL2025 RTM CU6 5102333 Security update for SQL Server 2025 RTM+GDR 17.0.1125.2 17.0.1000.

Affected Products (2)

SQL Server

  • Microsoft SQL Server 2025 for x64-based Systems (GDR)
  • Microsoft SQL Server 2025 for x64-based Systems (CU6)

Security Updates (2)

Acknowledgments

<a href="https://twitter.com/chudypb">Piotr Bazydło (@chudypb)</a>

Revision History

  • 2026-07-14: Information published.