Microsoft Discloses Critical SQL Server Zero-Day Vulnerability (CVE-2026-21262)
Microsoft has revealed a critical zero-day vulnerability in SQL Server, tracked as CVE-2026-21262, which allows authenticated attackers to escalate privileges to sysadmin the highest administrative level on affected systems. The flaw, disclosed on March 10, 2026, stems from improper access control (CWE-284) and has been publicly exposed, increasing the risk of exploitation.
With a CVSS score of 8.8 (Important severity), the vulnerability is network-based, requires low privileges, and involves no user interaction. Successful exploitation grants attackers full control over the database, compromising confidentiality, integrity, and availability all rated as high impact. While Microsoft assesses exploitation as "Less Likely" at present, the public disclosure lowers the barrier for threat actors to develop exploits.
The flaw affects SQL Server 2016 through 2025, including instances hosted on Azure IaaS. Microsoft has released patches for all supported versions, with specific KB updates for each release (e.g., KB5077466 for SQL Server 2025, KB5077464 for SQL Server 2022). Organizations are advised to apply updates immediately, audit user permissions, and monitor for suspicious privilege escalation activity. Unsupported versions should be upgraded to receive security fixes.
Source: https://cybersecuritynews.com/microsoft-sql-server-zero-day-vulnerability/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1773203190",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Database Management',
'location': 'Global',
'name': 'Microsoft SQL Server',
'type': 'Software'}],
'attack_vector': 'Network',
'data_breach': {'sensitivity_of_data': 'High (confidentiality, integrity, and '
'availability all rated as high '
'impact)'},
'date_publicly_disclosed': '2026-03-10',
'description': 'Microsoft has revealed a critical zero-day vulnerability in '
'SQL Server, tracked as CVE-2026-21262, which allows '
'authenticated attackers to escalate privileges to sysadmin '
'(the highest administrative level) on affected systems. The '
'flaw stems from improper access control (CWE-284) and has '
'been publicly exposed, increasing the risk of exploitation.',
'impact': {'operational_impact': 'Full control over the database, '
'compromising confidentiality, integrity, '
'and availability',
'systems_affected': 'SQL Server 2016 through 2025, including Azure '
'IaaS instances'},
'post_incident_analysis': {'corrective_actions': 'Patch management, '
'permission audits, '
'monitoring for privilege '
'escalation',
'root_causes': 'Improper access control (CWE-284)'},
'recommendations': 'Apply patches immediately, audit user permissions, '
'monitor for suspicious privilege escalation activity, '
'upgrade unsupported versions',
'references': [{'source': 'Microsoft Security Update'}],
'response': {'containment_measures': 'Apply patches (e.g., KB5077466 for SQL '
'Server 2025, KB5077464 for SQL Server '
'2022), audit user permissions, monitor '
'for suspicious privilege escalation '
'activity',
'enhanced_monitoring': 'Monitor for suspicious privilege '
'escalation activity',
'remediation_measures': 'Apply Microsoft patches for supported '
'versions, upgrade unsupported versions'},
'title': 'Microsoft Discloses Critical SQL Server Zero-Day Vulnerability '
'(CVE-2026-21262)',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2026-21262 (Improper Access Control - '
'CWE-284)'}