Skip to content
Threat Feed
high advisory

CVE-2026-40370: SQL Server External Control of File Name or Path Vulnerability

CVE-2026-40370 allows an authorized attacker with control over file names or paths to execute code over a network in Microsoft SQL Server.

CVE-2026-40370 is a vulnerability affecting Microsoft SQL Server. The vulnerability stems from the external control of file names or paths, which allows an authorized attacker to execute arbitrary code over a network. This means that if an attacker can influence the path or filename used by SQL Server in certain operations, they can potentially inject and execute malicious code. This vulnerability poses a significant risk to organizations using SQL Server, as successful exploitation could lead to complete system compromise, data breaches, or denial-of-service conditions.

Attack Chain

  1. An authorized user gains the ability to specify a file path or name used by SQL Server. This might be through a stored procedure or other interface.
  2. The attacker crafts a malicious file path or name that contains code to be executed. This can involve command injection.
  3. SQL Server attempts to access the file based on the attacker-controlled path.
  4. Due to insufficient sanitization or validation of the file path, the injected code is interpreted as a command.
  5. SQL Server executes the attacker’s malicious code with the privileges of the SQL Server process.
  6. The attacker gains control over the SQL Server instance.
  7. The attacker uses the compromised SQL Server instance to access sensitive data, modify databases, or pivot to other systems on the network.

Impact

Successful exploitation of CVE-2026-40370 allows an authorized attacker to execute arbitrary code on the SQL Server with the privileges of the SQL Server service account. This can lead to complete system compromise, allowing the attacker to steal sensitive data, modify databases, install backdoors, or use the compromised server as a staging point for further attacks within the network. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-40370 as soon as possible (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40370).
  • Monitor SQL Server logs for suspicious file access patterns or attempts to execute commands from unusual locations.
  • Implement strict input validation and sanitization for any user-supplied file paths or names used by SQL Server.

Detection coverage 2

Detects CVE-2026-40370 Exploitation Attempt — Suspicious xp_cmdshell Usage

high

Detects CVE-2026-40370 exploitation attempt — xp_cmdshell extended stored procedure is enabled and used to execute commands.

sigma tactics: execution techniques: T1059.004 sources: process_creation, windows

Detects CVE-2026-40370 Exploitation Attempt — SQL Server Process Spawning cmd.exe

medium

Detects CVE-2026-40370 exploitation attempt — SQL Server process spawns a command interpreter process.

sigma tactics: execution techniques: T1059.004 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →