CVE-2019-1068

HIGH EXPLOITED RANSOMWARE

Microsoft SQL Server - Remote Code Execution via Internal Function Processing

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-1068 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 1 public exploit from researchers including Vulnerability-Playground.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2019-1068, a stack overflow vulnerability in Microsoft SQL Server's 'svl.dll'. The exploit triggers a DoS by sending a malformed 'RESTORE FILELISTONLY' command, causing the server to crash.

Description

A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions, aka 'Microsoft SQL Server Remote Code Execution Vulnerability'.

Exploits (1)

nomisec WORKING POC
by Vulnerability-Playground · dos
https://github.com/Vulnerability-Playground/CVE-2019-1068

This repository contains a functional PoC for CVE-2019-1068, a stack overflow vulnerability in Microsoft SQL Server's 'svl.dll'. The exploit triggers a DoS by sending a malformed 'RESTORE FILELISTONLY' command, causing the server to crash.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft SQL Server (versions affected by CVE-2019-1068)
Auth required
Prerequisites: Valid SQL Server credentials · Network access to the target SQL Server
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.4466
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-09-04
Ransomware Use Confirmed
Status published
Products (3)
microsoft/sql_server 2014 sp2 (2 CPE variants)
microsoft/sql_server 2016 sp1 (2 CPE variants)
microsoft/sql_server 2017
Published Jul 15, 2019
Tracked Since Feb 18, 2026