CVE-2018-8533

MEDIUM

Microsoft SQL Server Management Studio <18 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8533. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This exploit demonstrates an XML External Entity (XXE) injection vulnerability in Microsoft SQL Server Management Studio 17.9 and 18.0 (Preview 4). It leverages improper XML parsing to disclose sensitive information by embedding external file contents into an XML document.

Description

An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing malicious XML content containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulnerability." This affects SQL Server Management Studio 17.9, SQL Server Management Studio 18.0. This CVE ID is unique from CVE-2018-8527, CVE-2018-8532.

Exploits (1)

exploitdb WORKING POC VERIFIED

by hyp3rlinx · textlocalwindows

https://www.exploit-db.com/exploits/45583

View Code ZIP pw:eip

This exploit demonstrates an XML External Entity (XXE) injection vulnerability in Microsoft SQL Server Management Studio 17.9 and 18.0 (Preview 4). It leverages improper XML parsing to disclose sensitive information by embedding external file contents into an XML document.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft SQL Server Management Studio 17.9 and 18.0 (Preview 4)

No auth needed

Prerequisites: Target must open a malicious REGSRVR file · Attacker must host a malicious DTD file on a controlled server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45583/

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1041826

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105476

Scores

CVSS v3 5.5

EPSS 0.2337

EPSS Percentile 97.5%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE

CWE-611

Status published

Products (2)

microsoft/sql_server_management_studio 17.9

microsoft/sql_server_management_studio 18.0

Published Oct 10, 2018

Tracked Since Feb 18, 2026