CVE-2026-40370: CVE-2026-40370: Authenticated Remote Code Execution in Microsoft SQL Server via Path Manipulation

CVE-2026-40370: Authenticated Remote Code Execution in Microsoft SQL Server via Path Manipulation

Vulnerability ID: CVE-2026-40370
CVSS Score: 8.8
Published: 2026-05-12

CVE-2026-40370 is a high-severity Remote Code Execution (RCE) vulnerability affecting Microsoft SQL Server versions 2016 through 2025. It stems from improper path validation (CWE-73) in internal stored procedures, allowing an authenticated user with low privileges to execute arbitrary code within the context of the SQL Server service account.

TL;DR

A path manipulation flaw (CWE-73) in Microsoft SQL Server allows authenticated, low-privileged users to achieve Remote Code Execution (RCE) via crafted UNC paths or path traversal techniques.

---

Technical Details

• CWE ID: CWE-73
• Attack Vector: Network
• CVSS v3.1 Score: 8.8
• EPSS Score: 0.00069 (0.07%)
• Exploit Status: Unexploited / No Public PoC
• Authentication Required: Low Privileges (PR:L)
• Primary Impact: Remote Code Execution

Affected Systems

• Microsoft SQL Server 2016
• Microsoft SQL Server 2017
• Microsoft SQL Server 2019
• Microsoft SQL Server 2022
• Microsoft SQL Server 2025
• Microsoft SQL Server 2016 SP3 (GDR): 13.0.0 < 13.0.6490.1 (Fixed in: 13.0.6490.1)
• Microsoft SQL Server 2016 SP3 Azure Connect: 13.0.0 < 13.0.7085.1 (Fixed in: 13.0.7085.1)
• Microsoft SQL Server 2017 (CU 31): 14.0.0 < 14.0.3530.2 (Fixed in: 14.0.3530.2)
• Microsoft SQL Server 2017 (GDR): 14.0.0 < 14.0.2110.2 (Fixed in: 14.0.2110.2)
• Microsoft SQL Server 2019 (CU 32): 15.0.0.0 < 15.0.4470.1 (Fixed in: 15.0.4470.1)
• Microsoft SQL Server 2019 (GDR): 15.0.0 < 15.0.2170.1 (Fixed in: 15.0.2170.1)
• Microsoft SQL Server 2022 (GDR): 16.0.0 < 16.0.1180.1 (Fixed in: 16.0.1180.1)
• Microsoft SQL Server 2022 (CU 24): 16.0.0.0 < 16.0.4252.3 (Fixed in: 16.0.4252.3)
• Microsoft SQL Server 2025 (CU 4): 17.0.4040.1 < 17.0.4040.1 (Fixed in: 17.0.4040.1)
• Microsoft SQL Server 2025 (GDR): 17.0.1050.2 < 17.0.1115.1 (Fixed in: 17.0.1115.1)

Mitigation Strategies

• Apply official Microsoft cumulative updates and GDR patches.
• Block outbound SMB traffic (TCP 139, 445) from SQL Server hosts.
• Implement Principle of Least Privilege for SQL Server service accounts.
• Audit and restrict access to stored procedures interacting with the file system.

Remediation Steps:

1. Identify the exact version and build number of the SQL Server instance.
2. Download the corresponding security update (e.g., KB5089270, KB5090347) from the Microsoft Update Catalog.
3. Schedule a maintenance window, as patching SQL Server requires restarting the database service.
4. Apply the patch and verify the new build number matches the fixed version specification.
5. Review Windows Firewall rules to ensure the SQL Server cannot establish outbound SMB connections to the internet or untrusted internal subnets.

References

• Microsoft Security Response Center (MSRC) Advisory for CVE-2026-40370
• CVE.org Record for CVE-2026-40370
• Tenable Nessus Plugin 314668
• SANS Internet Storm Center: Microsoft May 2026 Patch Tuesday

---

Read the full report for CVE-2026-40370 on our website for more details including interactive diagrams and full exploit analysis.