Microsoft has disclosed a critical zero-day vulnerability in SQL Server that allows authenticated attackers to escalate their privileges to the highest administrative level on affected database systems.
Tracked as CVE-2026-21262, the flaw was officially released on March 10, 2026, and has already been publicly disclosed, raising urgent concerns for organizations running SQL Server across enterprise environments.
The vulnerability stems from improper access control (CWE-284) within Microsoft SQL Server, enabling an authorized attacker to elevate privileges over a network.
According to Microsoft’s advisory, a threat actor who successfully exploits this flaw could gain SQL sysadmin privileges, the highest level of access within a SQL Server environment, thereby gaining complete control over the database instance.
The flaw carries a CVSS v3.1 base score of 8.8, classified as Important severity. The attack vector is network-based with low complexity, requires only low-level privileges to initiate, and demands no user interaction.
The impact spans all three critical security dimensions: confidentiality, integrity, and availability, all rated High, making this vulnerability particularly dangerous in data-sensitive environments.
Microsoft SQL Server Zero-Day Vulnerability
Microsoft confirmed that the vulnerability has been publicly disclosed but not yet actively exploited in the wild, with exploitability assessed as “Exploitation Less Likely.” However, the public disclosure status significantly lowers the barrier for threat actors to develop working exploits.
An authenticated attacker with explicit permissions can exploit the vulnerability by logging into the SQL Server instance and leveraging the improper access control flaw to escalate their session to the sysadmin level.
This type of privilege escalation attack is especially dangerous in multi-tenant or shared database environments, where low-privileged users may already have legitimate access.
Microsoft has released security updates covering SQL Server 2016 through the newly released SQL Server 2025. Administrators should identify their current version and apply the appropriate GDR or Cumulative Update (CU) patch accordingly. Key updates include:
- SQL Server 2025: KB updates 5077466 (CU2+GDR) and 5077468 (RTM+GDR)
- SQL Server 2022: KB updates 5077464 (CU23+GDR) and 5077465 (RTM+GDR)
- SQL Server 2019: KB updates 5077469 (CU32+GDR) and 5077470 (RTM+GDR)
- SQL Server 2017: KB updates 5077471 and 5077472
- SQL Server 2016: KB updates 5077473 and 5077474
SQL Server instances hosted on Windows Azure (IaaS) can receive updates via Microsoft Update or through manual download from the Microsoft Download Center.
Security teams should prioritize patching immediately, given the public disclosure status of this vulnerability. Organizations should audit SQL Server user permissions, restrict explicit privileges to trusted accounts only, and monitor for anomalous privilege escalation activity within database logs.
Versions no longer supported by Microsoft should be upgraded to a supported release to receive this and future security patches.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
