{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sql_server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40370"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SQL Server"],"_cs_severities":["high"],"_cs_tags":["cve","sql_server","rce"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40370 is a vulnerability affecting Microsoft SQL Server. The vulnerability stems from the external control of file names or paths, which allows an authorized attacker to execute arbitrary code over a network. This means that if an attacker can influence the path or filename used by SQL Server in certain operations, they can potentially inject and execute malicious code. This vulnerability poses a significant risk to organizations using SQL Server, as successful exploitation could lead to complete system compromise, data breaches, or denial-of-service conditions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authorized user gains the ability to specify a file path or name used by SQL Server. This might be through a stored procedure or other interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file path or name that contains code to be executed. This can involve command injection.\u003c/li\u003e\n\u003cli\u003eSQL Server attempts to access the file based on the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eDue to insufficient sanitization or validation of the file path, the injected code is interpreted as a command.\u003c/li\u003e\n\u003cli\u003eSQL Server executes the attacker\u0026rsquo;s malicious code with the privileges of the SQL Server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the SQL Server instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised SQL Server instance to access sensitive data, modify databases, or pivot to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40370 allows an authorized attacker to execute arbitrary code on the SQL Server with the privileges of the SQL Server service account. This can lead to complete system compromise, allowing the attacker to steal sensitive data, modify databases, install backdoors, or use the compromised server as a staging point for further attacks within the network. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-40370 as soon as possible (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40370)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40370)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor SQL Server logs for suspicious file access patterns or attempts to execute commands from unusual locations.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for any user-supplied file paths or names used by SQL Server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:45:09Z","date_published":"2026-05-12T18:45:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40370/","summary":"CVE-2026-40370 allows an authorized attacker with control over file names or paths to execute code over a network in Microsoft SQL Server.","title":"CVE-2026-40370: SQL Server External Control of File Name or Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40370/"}],"language":"en","title":"CraftedSignal Threat Feed — Sql_server","version":"https://jsonfeed.org/version/1.1"}