CVE-2026-54117 is a Microsoft SQL Server remote code execution vulnerability caused by deserialization of untrusted data. It has a CVSS v3.1 base score of 8.8 (High) with a temporal score of 7.7. The vector is network exploitable, with low attack complexity, low privileges required, and no user interaction. Microsoft lists the issue as not publicly disclosed and not exploited, with exploit code maturity unproven. The FAQ says an authenticated attacker with explicit permissions could log in to SQL Server and elevate privileges to sysadmin. This is a high-severity issue for enterprise SQL Server deployments, especially where the service is reachable over the network. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impact. - Exploitation likelihood: Exploitation Less Likely; despite the network vector, the FAQ indicates attacker authentication and explicit permissions are required. - Severity for enterprise: High. Network-reachable SQL Server instances are at elevated risk, but the need for authenticated access and explicit permissions reduces exposure compared with unauthenticated remote RCE. - Patch status: available Affected systems: - Microsoft SQL Server 2025 CU6+GDR - Microsoft SQL Server 2025 RTM+GDR - Microsoft SQL Server 2022 CU25+GDR - Microsoft SQL Server 2022 RTM+GDR - Microsoft SQL Server 2019 CU32+GDR - Microsoft SQL Server 2019 RTM+GDR - Microsoft SQL Server 2017 CU31+GDR - Microsoft SQL Server 2017 RTM+GDR - Microsoft SQL Server 2016 Azure Connect Feature Pack+GDR - Microsoft SQL Server 2016 SP3+GDR