CVE-2019-1068 — Microsoft SQL Server Remote Code Execution Vulnerability

Executive Summary

A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account. To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted query to an affected SQL server. The security update addresses the vulnerability by modifying how the Microsoft SQL Server Database Engine handles the processing of functions.

Overview

Important

MS Severity

Not Exploited

MS Exploit Status

Less Likely

MS Exploit Likelihood

Category Remote Code Execution

Released Jul 9 2019

Last Updated Jul 9 2019

Publicly Disclosed Yes

CISA KEV Not Listed

Known Exploits None Known

EPSS Score 0.44665 — 0.98607 percentile

EPSS Score

0.44665

probability of exploitation in the next 30 days

0.98607 percentile - updated 2026-06-20

View on FIRST.org

Affected Products

14 affected products

Product	KB Article	Severity	Impact	Restart Required
Microsoft SQL Server 2014 Service Pack 2 for 32-bit Systems (CU)	`4505419 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2014 Service Pack 2 for 32-bit Systems (GDR)	`4505217 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2014 Service Pack 2 for x64-based Systems (CU)	`4505419 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2014 Service Pack 2 for x64-based Systems (GDR)	`4505217 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4)	`4505422 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)	`4505218 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU)	`4505422 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)	`4505218 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU)	`4505221 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (GDR)	`4505219 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU)	`4505222 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)	`4505220 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2017 for x64-based Systems (CU)	`4505225 (Security Update)`	Important	Remote Code Execution	Maybe
Microsoft SQL Server 2017 for x64-based Systems (GDR)	`4505224 (Security Update)`	Important	Remote Code Execution	Maybe

Patches

10 patches

Article	Type	Restart
`4505419`	Security Update	Maybe
`4505217`	Security Update	Maybe
`4505422`	Security Update	Maybe
`4505218`	Security Update	Maybe
`4505221`	Security Update	Maybe
`4505219`	Security Update	Maybe
`4505222`	Security Update	Maybe
`4505220`	Security Update	Maybe
`4505225`	Security Update	Maybe
`4505224`	Security Update	Maybe

Known Exploits

No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.

Acknowledgments

Microsoft has not published researcher acknowledgments for this CVE, or they are not yet reflected in our data source. Check the MSRC advisory directly for the most current credit information.

References

MSRC Advisory MITRE NVD