A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-21370

CVE-2024-21370: Windows 10 1507 WDAC SQL Server RCE Flaw

CVE-2024-21370 is a remote code execution vulnerability in Microsoft WDAC OLE DB provider for SQL Server affecting Windows 10 1507. Attackers can exploit this flaw to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published: June 2, 2026

CVE-2024-21370 Overview

CVE-2024-21370 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw allows attackers to execute arbitrary code on affected systems when a victim connects to a malicious SQL Server instance. Microsoft disclosed the vulnerability as part of its February 2024 security update cycle. The underlying weakness is a heap-based buffer overflow [CWE-122] that triggers during the processing of crafted server responses. Both client systems and server installations across the supported Windows lineup are affected.

Critical Impact

An attacker who convinces a user to connect to a malicious SQL Server can achieve remote code execution with the privileges of the connecting process, resulting in high impact to confidentiality, integrity, and availability.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (versions 21H2, 22H2, 23H2)
  • Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

  • 2024-02-13 - CVE-2024-21370 published to NVD
  • 2024-02-13 - Microsoft released security update addressing CVE-2024-21370
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-21370

Vulnerability Analysis

The vulnerability resides in the WDAC OLE DB provider for SQL Server, the client-side component Windows applications use to connect to SQL Server databases. A malicious SQL Server can return crafted protocol responses that cause the OLE DB provider to write outside the bounds of an allocated heap buffer. The resulting memory corruption can be steered toward controlled code execution in the context of the calling process. Exploitation is network-based but requires the victim to initiate a database connection to attacker-controlled infrastructure.

Root Cause

The root cause is a heap-based buffer overflow [CWE-122] within the data parsing logic of the OLE DB provider. The component fails to correctly validate length or size fields supplied by the remote SQL Server before copying data into a fixed-size heap allocation. An attacker controlling the server response can shape adjacent heap memory and corrupt object metadata or function pointers used during later processing.

Attack Vector

The attack vector is network-based but requires user interaction. The attacker must persuade a user, typically an administrator or developer, to connect a vulnerable client to a malicious SQL Server instance using the WDAC OLE DB provider. Common delivery techniques include phishing emails containing connection strings, malicious .udl or .odc files, or rogue services on internal networks that lure clients via discovery or misconfiguration. No authentication is required at the SQL Server layer because the corruption occurs before authentication completes.

No public proof-of-concept exploit code has been released. See the Microsoft Security Update CVE-2024-21370 advisory for vendor technical details.

Detection Methods for CVE-2024-21370

Indicators of Compromise

  • Outbound TCP connections from workstations or servers to unfamiliar SQL Server endpoints on port 1433 or dynamic ports negotiated through SQL Browser on UDP 1434.
  • Unexpected child processes spawned by applications hosting OLE DB clients such as excel.exe, powerbi.exe, or custom line-of-business binaries.
  • Crash events or Windows Error Reporting entries referencing msolap, msoledbsql, or sqloledb modules.
  • Creation or execution of .udl, .odc, or Office documents containing connection strings to external SQL Server hosts.

Detection Strategies

  • Hunt for processes loading OLE DB provider DLLs (msoledbsql.dll, sqloledb.dll) that then initiate network connections to non-corporate SQL Server hosts.
  • Correlate Sysmon Event ID 3 (network connect) with Event ID 7 (image load) to identify anomalous OLE DB usage patterns.
  • Apply behavioral identification on post-exploitation activity such as cmd.exe, powershell.exe, or LOLBin execution descending from Office or BI applications.

Monitoring Recommendations

  • Inventory hosts with the OLE DB provider installed and baseline their legitimate SQL Server destinations.
  • Monitor egress traffic to TCP/1433 and block connections to internet-based SQL Server hosts at the perimeter.
  • Forward endpoint telemetry, DNS logs, and proxy logs to a centralized analytics platform to enable cross-source hunting for malicious connection patterns.

How to Mitigate CVE-2024-21370

Immediate Actions Required

  • Apply the February 2024 Microsoft security updates that address CVE-2024-21370 across all affected Windows client and server systems.
  • Identify and inventory all workstations and servers running the WDAC OLE DB provider for SQL Server and prioritize patching for hosts used by administrators and developers.
  • Restrict outbound connections to TCP/1433 and UDP/1434 at the perimeter firewall to known internal SQL Server hosts only.
  • Educate users about the risk of opening connection files (.udl, .odc) or Office documents from untrusted sources.

Patch Information

Microsoft released cumulative security updates on February 13, 2024 that remediate CVE-2024-21370 in the OLE DB provider for SQL Server across supported Windows versions. Refer to the Microsoft Security Update CVE-2024-21370 advisory for the specific KB articles and packages applicable to each platform.

Workarounds

  • Block outbound connections from end-user workstations to external SQL Server endpoints using host or network firewall rules until patches are deployed.
  • Disable or remove the WDAC OLE DB provider on systems that do not require SQL Server connectivity.
  • Enforce application allowlisting to prevent execution of unsigned binaries dropped by post-exploitation payloads.
  • Require VPN or private network access for legitimate SQL Server connections, eliminating direct exposure to attacker-controlled servers.
bash
# Example: Restrict outbound SQL Server traffic using Windows Defender Firewall
New-NetFirewallRule -DisplayName "Block Outbound SQL Server (Untrusted)" `
  -Direction Outbound `
  -Protocol TCP `
  -RemotePort 1433 `
  -RemoteAddress Internet `
  -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechWindows
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability1.92%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-122
  • NVD-CWE-noinfo
  • Vendor Resources
  • Microsoft Security Update CVE-2024-21370
  • Related CVEs
  • CVE-2026-33414: Podman HyperV Backend RCE Vulnerability
  • CVE-2026-33826: Windows Active Directory RCE Vulnerability
  • CVE-2026-32183: Windows Snipping Tool RCE Vulnerability
  • CVE-2026-32149: Windows Hyper-V RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English