CVE-2024-28940 Overview
CVE-2024-28940 is a remote code execution vulnerability in the Microsoft OLE DB Driver for SQL Server. The flaw is classified as a heap-based buffer overflow [CWE-122] and affects the OLE DB Driver as well as deployments using SQL Server 2019 and SQL Server 2022 on x64. An attacker who tricks an authenticated user into connecting a vulnerable client to a malicious SQL Server can execute code in the context of the client process. Microsoft published the advisory on April 9, 2024, and the entry carries a CVSS v3.1 base score of 8.8.
Critical Impact
Successful exploitation grants attacker-controlled code execution on the client system, with full confidentiality, integrity, and availability impact. EPSS places this vulnerability in the 84th percentile for exploitation likelihood.
Affected Products
- Microsoft OLE DB Driver for SQL Server
- Microsoft SQL Server 2019 (x64)
- Microsoft SQL Server 2022 (x64)
Discovery Timeline
- 2024-04-09 - CVE-2024-28940 published to NVD and Microsoft Security Update Guide
- 2025-01-15 - Last updated in NVD database
Technical Details for CVE-2024-28940
Vulnerability Analysis
The vulnerability resides in the Microsoft OLE DB Driver for SQL Server, the client-side data access component used by applications to connect to SQL Server instances. Exploitation requires the attacker to host or control a malicious SQL Server and to convince an authenticated user to initiate a connection from a system running the vulnerable driver. Because the attack vector is network-based and exploitation occurs against the client, the targeted process is the application invoking the OLE DB Driver rather than a server-side SQL Server process.
Root Cause
Microsoft classifies the issue as a heap-based buffer overflow [CWE-122]. The driver mishandles attacker-controlled response data returned by a malicious SQL Server, allowing a write past the bounds of a heap allocation. The corrupted heap state enables control over program flow and ultimately arbitrary code execution within the client process. Microsoft has not released exploit details beyond the advisory.
Attack Vector
The attack vector is Network with user interaction required. A typical exploitation chain involves an attacker presenting a crafted server endpoint (for example, a phishing lure containing an ODC, UDL, or connection string pointing to the attacker host) and waiting for the victim to initiate a database connection using MSOLEDBSQL. Once the connection is established, malformed server protocol messages trigger the heap overflow in the client. No public proof-of-concept is currently listed, and the vulnerability is not in the CISA KEV catalog.
No verified public exploit code is available for CVE-2024-28940. See the Microsoft Security Update Guide entry for CVE-2024-28940 for vendor-supplied technical context.
Detection Methods for CVE-2024-28940
Indicators of Compromise
- Unexpected outbound TCP connections on port 1433 (or other SQL Server ports) from workstations to untrusted external IP addresses.
- Crashes or abnormal termination of applications loading msoledbsql.dll, particularly Excel, Power BI Desktop, SSMS, or custom line-of-business tools.
- Newly written or executed files spawned as child processes of applications that just loaded the OLE DB Driver.
- User-opened .udl, .odc, or .iqy files originating from email or web downloads followed by SQL Server connection attempts.
Detection Strategies
- Inventory endpoints with msoledbsql.dll present and correlate driver versions against the patched build listed in the Microsoft advisory.
- Hunt for process chains where Office or browser processes spawn database client activity followed by cmd.exe, powershell.exe, or rundll32.exe.
- Alert on heap corruption telemetry, Windows Error Reporting events, and faulting modules referencing msoledbsql.dll.
Monitoring Recommendations
- Forward EDR process and module-load telemetry to a central data lake and build queries that pivot on msoledbsql.dll load events.
- Monitor egress firewall logs for SQL Server protocol traffic destined to non-corporate networks and block by default.
- Track Windows Update and SCCM compliance reports to confirm the SQL Server cumulative update or standalone OLE DB Driver patch is deployed across the estate.
How to Mitigate CVE-2024-28940
Immediate Actions Required
- Apply the Microsoft security update referenced in the CVE-2024-28940 advisory to every endpoint and server that has the OLE DB Driver installed.
- Update SQL Server 2019 and SQL Server 2022 instances to the fixed cumulative update, since they ship the affected driver.
- Restrict outbound TCP/1433 and other SQL Server ports from user workstations to known internal database hosts.
- Educate users to refuse SQL Server connection prompts originating from unsolicited files or links.
Patch Information
Microsoft released fixed builds of the OLE DB Driver for SQL Server and corresponding SQL Server 2019 and SQL Server 2022 updates on April 9, 2024. Patch artifacts and download links are enumerated in the Microsoft Security Update Guide for CVE-2024-28940. The standalone MSOLEDBSQL redistributable should be upgraded on any host where applications embed it independently of a full SQL Server install.
Workarounds
- Where patching is delayed, block outbound SQL Server protocol traffic to untrusted destinations using host and perimeter firewalls.
- Remove the OLE DB Driver from systems that do not require SQL Server connectivity to reduce attack surface.
- Use application allowlisting to prevent unsigned data connection files such as .udl and .odc from launching database clients.
# Verify installed OLE DB Driver version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "*OLE DB Driver*for SQL Server*" } |
Select-Object DisplayName, DisplayVersion, Publisher
# Block outbound SQL Server traffic to non-corporate networks
New-NetFirewallRule -DisplayName "Block Outbound SQL 1433 to Internet" `
-Direction Outbound -Protocol TCP -RemotePort 1433 `
-RemoteAddress Internet -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
