H3-2026-0003¶

MSSQL EXECUTE AS Impersonation Privilege Escalation Vulnerability

Description¶

A low-privileged Microsoft SQL Server user was able to escalate privileges by impersonating a higher-privileged principal using the EXECUTE AS statement. This can occur when a user has been granted IMPERSONATE permission on a login (EXECUTE AS LOGIN) or when a user is the database owner (dbo) in a database with the TRUSTWORTHY property enabled (EXECUTE AS USER). Through impersonation, the attacker gains the permissions of the impersonated principal, which may include sysadmin-level access.

Impact¶

An attacker who successfully exploits this weakness can escalate from a low-privileged SQL Server user to sysadmin-level access. This allows them to execute operating system commands via xp_cmdshell or SQL Server Agent jobs, dump password hashes from sys.sql_logins, access all databases, and potentially compromise the underlying host.

References¶

• Microsoft: EXECUTE AS (Transact-SQL)
• Microsoft: TRUSTWORTHY Database Property
• MITRE ATT&CK Technique: T1078: Valid Accounts
• MITRE ATT&CK Technique: T1068: Exploitation for Privilege Escalation