cbcvebase.
CVE-2024-26164
published 2024-03-12

CVE-2024-26164: Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability

PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.12%
79.6th percentile
Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftdjango_backend< 1.4.11.4.1
microsoftsql_server_backend_for_django>= 1.0 < 1.4.11.4.1
msrcsql_server_backend_for_django

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is unsanitized user-supplied parameter injected into a SQL query (SQL Injection leading to RCE) in the Microsoft Django Backend for SQL Server (mssql-django)
  • Exploitation requires low-privilege attacker leveraging a Microsoft Access application communicating with a remote SQL Server address under attacker control — monitor for unexpected or attacker-controlled remote SQL Server connection strings in Access/Django configurations
  • ·Vulnerable component is mssql-django (Microsoft Django Backend for SQL Server); patched version is 1.4.1 — environments running versions prior to 1.4.1 are exposed
  • ·Fix is available via PyPI package mssql-django 1.4.1 and the corresponding GitHub release

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.