Critical SQL Server Patch Applied
Microsoft rolled out Patch Tuesday fixes that addressed 77 vulnerabilities, including a critical SQL Server flaw that could let attackers gain sysadmin privileges remotely — patched in the March update reported. This underlines why internal controls teams must validate patch processes and continuous monitoring, not just periodic testing.
CVE‑2026‑21262 — an SQL Server elevation‑of‑privilege bug with a CVSS base score of 8.8 — is described by the NVD as “improper access control” that lets an authenticated actor raise privileges over a network. nvd.nist.gov Microsoft shipped security updates for affected SQL Server servicing tracks on March 10, 2026, with per‑release packages such as KB5077469 (SQL Server 2019 CU32) and KB5077468 (SQL Server 2025 GDR) published the same day. support.microsoft.com Vendor and industry analyses noted the flaw allows a low‑privileged, authenticated user to escalate to the sysadmin role over the network, and at release there was no confirmed evidence of active exploitation in the wild per Rapid7 and Tenable. krebsonsecurity.com Microsoft’s KBs include a downloadable Excel mapping of builds and explicitly instruct administrators to match the update to their product version and servicing path; the updates are available via Windows Update and the Microsoft Update Catalog (standalone package listed as KB5077469, ~888.5 MB). support.microsoft.com
