On July 14, 2026, Microsoft published a security update that patches a critical remote code execution (RCE) hole in Microsoft SQL Server. Tracked as CVE-2026-54118, the vulnerability scored 8.8 on the CVSS scale and can be triggered remotely by an attacker who already holds low‑level authorization. SQL Server administrators need to deploy the July 2026 update immediately, verify that all instances – including passive replicas and development boxes – land on a patched build, and harden network access before the attack surface shrinks any further.

What exactly changed on July 14?

Microsoft bundled CVE-2026-54118 into its monthly security release and pushed fixes for every supported SQL Server branch: 2016 SP3, 2017, 2019, 2022, and 2025. Both the General Distribution Release (GDR) and Cumulative Update (CU) servicing tracks receive their own distinct builds, so the specific number you need depends on which path your instance follows.

The root cause is unsafe deserialization of untrusted data – CWE-502 in the Common Weakness Enumeration. In simple terms, certain SQL Server code reconstructs objects from serialized input without enough validation. A crafted payload can trick the system into running arbitrary code. Microsoft describes the attack vector as “Network” (AV:N) and the attack complexity as “Low” (AC:L), meaning no exotic timing or deep research is required once an attacker meets the access prerequisites.

Because the advisory does not list privilege‑before‑exploitation as “None” (PR:N), attackers need some form of authorized access before they can weaponize the flaw. The CVSS vector published alongside the bulletin confirms “Privileges Required: Low” (PR:L). That could be a SQL login with minimal rights, a stolen service‑account credential, or a foothold obtained through an earlier compromise.

The table below lists the minimum patched build for each servicing branch that Microsoft considers protected. Every instance running a lower build number is still vulnerable.

SQL Server Version Servicing Branch Minimum Patched Build
2016 SP3 GDR 13.0.6500.1
2016 SP3 (Azure Connect) Azure Connect Feature Pack 13.0.7095.1
2017 CU31 14.0.3540.1
2017 GDR 14.0.2120.1
2019 CU32 15.0.4480.2
2019 GDR 15.0.2180.2
2022 CU25 16.0.4262.2
2022 GDR 16.0.1190.2
2025 GDR 17.0.1125.2
2025 CU6 Consult Security Update Guide

For SQL Server 2025 CU6, Microsoft lists the update but does not publish a discrete build number in the advisory; administrators must use the Security Update Guide mapping.

What the vulnerability means for you

For database administrators and IT operations: CVE-2026-54118 is serious. The 8.8 score reflects a combination of remote reachability and low complexity. Although a password or token is required first, that barrier is not as high as it sounds. Credentials leak from configuration files, connection strings, backup tapes, and previous breaches. An attacker who already possesses a low‑privilege SQL login could escalate to full remote code execution – and from there move laterally across your network. Internet‑facing SQL Servers are the most obvious targets, but internal instances are not safe. In a ransomware scenario, a criminal who compromised a single workstation can scan for database servers sitting on the same VLAN. Patching isolated test systems and disaster‑recovery nodes is just as important as protecting production, because one forgotten box can give an intruder a foothold inside the perimeter.

For developers and DevOps engineers: If your team manages its own SQL Server instances – for example, in cloud virtual machines, developer workstations, or CI/CD pipelines – you need to pull the July update into your environment. Shared application databases that accept connections from multiple container groups or external contractors create risk because any authorized user could become an attack vector. Updating SQL Server is not as simple as clicking “Install” on a Windows cumulative update; you must explicitly download the SQL Server security package for your version and branch, and then verify the engine version after the instance restarts.

For everyday Windows users: Most home users do not run SQL Server and will not need to take any direct action. If you use a work laptop that connects to a corporate database, your IT department should already be acting on this vulnerability. But you can help: if you receive an email from your admin asking you to restart an application or avoid certain actions during a maintenance window, cooperate quickly. A straightforward request might be the difference between a routine patch and a breach.

How we got here

Deserialization flaws are not new to the Microsoft ecosystem. In recent years, similar issues surfaced in .NET components, Exchange Server, and SharePoint. SQL Server itself has seen RCE bugs before, though many were rated lower because they required higher privileges or were not network‑reachable. What makes CVE-2026-54118 stand out is the combination of AV:N and AC:L, which dragged the CVSS score to 8.8 – a notch below the most critical pre‑auth vulnerabilities but still well into “patch immediately” territory.

The July 14 advisory does not indicate that the vulnerability is being actively exploited or that a public proof‑of‑concept exists. That will almost certainly change once security researchers compare patched and unpatched SQL Server binaries. History shows that within days of a Patch Tuesday, reverse engineers often isolate the changed code and develop reliable exploits. Scoring the complexity as Low suggests that the exploitation path will be reproducible once it becomes public. For now, the only thing keeping attacks at bay is the time it takes for adversaries to develop working payloads.

What to do right now

  1. Inventory every SQL Server instance. If you cannot name all your standalone servers, failover cluster instances, Always On availability‑group replicas, reporting servers, and DR nodes, stop and complete an inventory first. Passive replicas that are rarely started are especially easy to miss.

  2. Determine the servicing branch of each instance. Open SQL Server Management Studio, run SELECT @@VERSION, and note the full build number. Cross‑reference it with the table above or the Microsoft Security Update Guide to identify whether you are on a GDR, CU, or Azure Connect track. A mismatch – for example, applying a GDR package to a CU‑patched instance – will leave the server unprotected and may cause other problems.

  3. Download the correct package. Visit the MSRC Security Update Guide page for CVE-2026-54118. Microsoft provides separate download links for every listed combo. Download the package that matches your version and branch.

  4. Patch in a controlled order. For standalone instances, schedule a maintenance window, install the update, and verify the build number again. For failover clusters and availability groups, follow the documented rolling‑patch procedures: update passive nodes first, failover, and then update the previously active node. Never install a SQL Server patch without a verified backup and a rollback plan.

  5. Verify, don’t assume. After the instance restarts, execute SELECT @@VERSION and confirm the build number matches or exceeds the minimum patched build for your branch. Relying solely on deployment‑tool success messages or Windows Update history is not enough – the SQL Server engine version is the only reliable indicator.

  6. Harden network access while you patch. Even before the update is fully deployed, reduce exposure. Remove public IP bindings from SQL Server hosts, tighten firewall rules to allow only application servers and designated management machines, disable SQL Server Browser where not needed, and change default ports. Audit SQL logins: disable unused accounts, revoke unnecessary privileges, and rotate any credentials that might have leaked into configuration files or code repositories.

  7. Monitor for suspicious activity. Look for unusual connections from workstations or servers that do not normally talk to the database tier. A surge in failed login attempts or a connection from an unexpected subnet could be a sign that someone is probing your servers.

What comes next

Microsoft’s advisory leaves key technical details out of the public description to avoid handing attackers a blueprint, but that grace period will not last. Researchers will reverse‑engineer the patch, and proof‑of‑concept code is likely to appear within weeks. If you manage SQL Servers that are reachable from any network segment beyond a tightly controlled jump box, the priority is to finish patching before that PoC becomes a weapon. Watch for follow‑up communications from Microsoft – any revision to the advisory that mentions active exploitation or public disclosure would be a signal to accelerate your deployment. For now, treat every pre‑July build as a liability and get them off your network.