Microsoft SQL Server Remote Code Execution Vulnerability
CVE-2023-21528

7.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack; Microsoft Sql Server 2019 (gdr); Microsoft Sql Server 2016 Service Pack 3 (gdr); Microsoft Sql Server 2014 Service Pack 3 (gdr)
Vendor: CVE Published:; 14 February 2023

What is CVE-2023-21528?

This vulnerability in Microsoft SQL Server allows remote attackers to execute arbitrary code on the server by exploiting a flaw in the configuration or operational parameters of the database service. It poses significant risks to data integrity and confidentiality, making it crucial for administrators to apply relevant patches and secure configurations to mitigate potential exploitation.

Affected Version(s)

Microsoft SQL Server 2008 R2 Service Pack 3 (QFE) 32-bit Systems 10.0.0 < 10.50.6785.2

Microsoft SQL Server 2008 Service Pack 4 (QFE) x64-based Systems 10.0.0 < 10.0.6814.4

Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE) x64-based Systems 11.0.0 < 11.0.7512.11

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 14, 2023
Vulnerability Reserved
Dec 1, 2022