{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sql-server/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-33120"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sql-server","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33120 is a critical vulnerability affecting Microsoft SQL Server. This vulnerability, classified as an untrusted pointer dereference, allows an authorized attacker to execute arbitrary code on the targeted system remotely. Successful exploitation requires the attacker to be authenticated to the SQL Server instance, reducing the attack surface but still posing a significant threat to internal networks. The vulnerability was reported by Microsoft and assigned a CVSS v3.1 score of 8.8, highlighting its potential for significant impact. The vulnerability poses a significant risk to organizations utilizing vulnerable SQL Server instances, as it could lead to data breaches, system compromise, and further lateral movement within the network. Defenders need to identify and patch vulnerable SQL Server instances promptly to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the targeted SQL Server instance using compromised or valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL query designed to trigger the untrusted pointer dereference.\u003c/li\u003e\n\u003cli\u003eThe malicious query is sent to the SQL Server instance for processing.\u003c/li\u003e\n\u003cli\u003eSQL Server attempts to dereference a pointer controlled by the attacker due to the crafted query.\u003c/li\u003e\n\u003cli\u003eThis dereference leads to an exception or crash within the SQL Server process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this crash to gain control of the execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the SQL Server process memory.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed within the context of the SQL Server service account, granting the attacker system-level privileges and remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33120 allows an authenticated attacker to execute arbitrary code on the targeted SQL Server instance with system-level privileges. This can lead to complete system compromise, data breaches, denial of service, and further lateral movement within the network. The vulnerability affects all SQL Server versions prior to the patch. Given the widespread use of SQL Server in enterprise environments, a successful exploit could have significant repercussions, impacting sensitive data and critical business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-33120 on all affected SQL Server instances immediately. Refer to the Microsoft advisory (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120\u003c/a\u003e) for specific instructions.\u003c/li\u003e\n\u003cli\u003eMonitor SQL Server logs for suspicious activity, such as unexpected crashes or unusual query patterns that might indicate exploitation attempts. Create a rule based on process creation with unexpected parent processes.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious SQL Server Process Creation\u003c/code\u003e to detect potential exploitation attempts based on process creation events.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for SQL Server accounts to minimize the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-sql-server-rce/","summary":"CVE-2026-33120 is an untrusted pointer dereference vulnerability in Microsoft SQL Server that allows an authenticated attacker to achieve remote code execution over a network.","title":"SQL Server Untrusted Pointer Dereference Vulnerability (CVE-2026-33120)","url":"https://feed.craftedsignal.io/briefs/2026-04-sql-server-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SQL Server"],"_cs_severities":["medium"],"_cs_tags":["persistence","sql-server","xp_cmdshell","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe xp_cmdshell extended stored procedure in Microsoft SQL Server allows execution of operating system commands from within the SQL Server environment. Although disabled by default, its use can provide a direct pathway for attackers to run arbitrary commands on the underlying system with the privileges of the SQL Server service account. This account often has elevated privileges, allowing attackers to escalate their access and establish persistence mechanisms. This activity has been observed in intrusions where attackers seek to maintain control over compromised systems. Defenders should closely monitor for the enabling and use of xp_cmdshell, especially when combined with other suspicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a vulnerable SQL Server instance, possibly through SQL injection or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enable the xp_cmdshell stored procedure using \u003ccode\u003esp_configure 'xp_cmdshell', 1; RECONFIGURE;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses xp_cmdshell to execute reconnaissance commands, such as \u003ccode\u003exp_cmdshell 'whoami'\u003c/code\u003e or \u003ccode\u003exp_cmdshell 'net user'\u003c/code\u003e to gather information about the system and user context.\u003c/li\u003e\n\u003cli\u003eThe attacker uses xp_cmdshell to download and execute a malicious payload (e.g., using \u003ccode\u003ecertutil.exe\u003c/code\u003e to download a file).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task via xp_cmdshell executing the \u003ccode\u003eschtasks\u003c/code\u003e command. For example: \u003ccode\u003exp_cmdshell 'schtasks /create /tn \u0026quot;Malicious Task\u0026quot; /tr \u0026quot;C:\\\\Windows\\\\Temp\\\\evil.exe\u0026quot; /sc ONLOGON /ru SYSTEM'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes upon system logon, providing persistent access for the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the persistent access to deploy additional tools or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to execute arbitrary commands with elevated privileges on the SQL Server host. This can lead to data theft, system compromise, and the establishment of persistent backdoors. Lateral movement within the network is also possible, leveraging the compromised SQL Server as a pivot point. While specific victim counts and sectors are not provided, any organization using MSSQL Server is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious xp_cmdshell Usage\u0026rdquo; to your SIEM to detect attempts to use xp_cmdshell for command execution.\u003c/li\u003e\n\u003cli\u003eDisable the xp_cmdshell stored procedure unless absolutely necessary. If required, implement strict monitoring and auditing of its usage (reference: rule description).\u003c/li\u003e\n\u003cli\u003eMonitor for process creation events with a parent process of \u003ccode\u003esqlservr.exe\u003c/code\u003e, specifically looking for command-line arguments indicative of exploitation (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eEnsure SQL servers are not directly exposed to the internet and implement strict access controls, using allowlists to restrict connections to legitimate sources (reference: the \u0026ldquo;Response and remediation\u0026rdquo; section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mssql-xp-cmdshell-persistence/","summary":"Attackers may leverage the xp_cmdshell stored procedure in Microsoft SQL Server to execute arbitrary commands for privilege escalation and persistence, often bypassing default security configurations.","title":"MSSQL xp_cmdshell Stored Procedure Abuse for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-mssql-xp-cmdshell-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Sql-Server","version":"https://jsonfeed.org/version/1.1"}