Quick Summary
Microsoft SQL Server Exposed to Internet is a critical misconfiguration where the MSSQL database service is directly accessible from the public internet. This significantly increases the risk of brute-force attacks, credential compromise, unauthorized data access, ransomware deployment, and full server compromise.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | Database Public Exposure |
| CWE ID | CWE-284 – Improper Access Control |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 9.3 (Critical) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | External Network |
Affected Asset / Environment
- Service: Microsoft SQL Server (MSSQL)
- Default Port: 1433 (TCP)
- Platforms: Windows Server
- Testing Method: External / Black-box Assessment
- Tools Used: Nmap, sqlcmd, Hydra
Description
The assessor observed that the Microsoft SQL Server service is accessible from a public or untrusted network. Port 1433 was reachable externally, and connection attempts were accepted by the server.
MSSQL databases typically store sensitive enterprise data including customer records, financial information, authentication credentials, and application data. Direct internet exposure greatly increases the likelihood of automated scanning and targeted attacks.
Attackers frequently target publicly exposed MSSQL services using brute-force attacks, exploitation of weak credentials, or leveraging unpatched vulnerabilities.
Root Cause
The issue occurs due to improper network and firewall configuration allowing unrestricted access to the MSSQL service.
Common root causes include:
- Firewall allowing 0.0.0.0/0 access to port 1433
- Cloud security group misconfiguration
- SQL Server bound to public IP
- Lack of network segmentation
- Absence of secure remote access policy
Business Impact
Exploitation of this vulnerability may allow attackers to gain unauthorized access to enterprise databases. This may result in data theft, data manipulation, ransomware deployment, and service disruption.
Compromise of a production SQL server may lead to severe operational downtime, regulatory penalties, financial loss, and reputational damage.
Publicly exposed MSSQL servers are commonly targeted by automated attack campaigns.
Technical Impact
An attacker can:
- Detect and fingerprint SQL Server version
- Attempt brute-force login attacks
- Exploit weak or default credentials
- Dump entire databases
- Create new administrative database accounts
- Execute system-level commands using extended stored procedures (if enabled)
This significantly increases the risk of full database and potential host compromise.
Proof of Concept (PoC)
Step1: Identify MSSQL Service
nmap -sV -p 1433 <target-ip>
If port 1433 is open and identified as Microsoft SQL Server, exposure is confirmed.
Step2: Enumerate SQL Server Information
nmap -p 1433 --script ms-sql-info <target-ip>
If version details are returned, reconnaissance is possible.
Step3: Attempt Direct Connection
sqlcmd -S <target-ip> -U sa -P <password>
If the server accepts authentication attempts from external networks, it is publicly accessible.
Step4: Test Brute-force Exposure (Authorized Testing Only)
hydra -L users.txt -P passwords.txt mssql://<target-ip>
If login attempts are processed, brute-force attack surface exists.
Exploitation Prerequisites
- Network access to port 1433
- MSSQL service running
- Public network exposure
- Weak credentials or misconfigured access controls
Remediation
It is recommended that Microsoft SQL Server not be exposed directly to the internet.
Recommended actions:
- Restrict port 1433 to trusted internal IP ranges
- Implement firewall and cloud security group restrictions
- Use VPN or bastion host for remote administration
- Enforce strong password policies
- Disable unused SQL features
- Enable logging and monitoring
After implementing controls, verify that external connections to port 1433 are blocked.
Detection and Monitoring
- Monitor SQL Server logs for failed login attempts
- Alert on repeated authentication failures
- Conduct periodic external port scanning
- Review firewall and security group configurations