CVE-2024-28945 is a high-severity vulnerability affecting Microsoft SQL Server 2019 (GDR), specifically related to the Microsoft OLE DB Driver for SQL Server. The underlying issue is an integer underflow (CWE-191), which occurs when an arithmetic operation causes a numeric value to wrap around below its minimum representable value. This flaw can lead to memory corruption, enabling an attacker to execute arbitrary code remotely. The vulnerability is exploitable over the network without requiring privileges or authentication, but it does require user interaction, such as convincing a user to connect to a malicious SQL Server instance or execute crafted queries. The CVSS v3.1 base score is 8.8, reflecting its high impact on confidentiality, integrity, and availability. Successful exploitation could allow an attacker to gain full control over the affected SQL Server instance, potentially leading to data theft, data manipulation, or denial of service. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk, especially in environments where SQL Server is exposed to untrusted networks or users. The vulnerability affects version 15.0.0 of SQL Server 2019 (GDR), which is widely deployed in enterprise environments for critical database management tasks. The integer underflow likely occurs during processing of certain inputs by the OLE DB Driver, which is a component used to facilitate database connectivity and query execution. This vulnerability underscores the importance of patching and careful input validation in database drivers to prevent memory corruption and remote code execution risks.

For European organizations, the impact of CVE-2024-28945 could be substantial. Microsoft SQL Server 2019 is extensively used across various sectors including finance, healthcare, government, and manufacturing. Exploitation could lead to unauthorized access to sensitive data, disruption of critical business operations, and potential regulatory non-compliance (e.g., GDPR violations due to data breaches). The ability to execute code remotely without authentication means attackers could leverage this vulnerability to establish persistent footholds within corporate networks, escalate privileges, and move laterally. This is particularly concerning for organizations with SQL Server instances exposed to the internet or accessible by multiple users. The high confidentiality, integrity, and availability impacts mean that data theft, data tampering, and service outages are all plausible outcomes. Additionally, the requirement for user interaction suggests phishing or social engineering could be vectors, increasing the risk in environments with less mature security awareness. Given the critical role of SQL Server in many European enterprises, exploitation could disrupt supply chains, financial transactions, and public services, amplifying the economic and reputational damage.

Apply the latest security updates from Microsoft as soon as they become available for SQL Server 2019 (GDR) to address this vulnerability. Restrict network exposure of SQL Server instances by implementing strict firewall rules and network segmentation to limit access only to trusted hosts and users. Disable or restrict use of the Microsoft OLE DB Driver for SQL Server where possible, or replace it with alternative, less vulnerable data access methods. Implement strong user awareness training focusing on phishing and social engineering to reduce the risk of user interaction-based exploitation. Monitor SQL Server logs and network traffic for unusual connection attempts or query patterns that could indicate exploitation attempts. Use application whitelisting and endpoint detection and response (EDR) tools to detect and block suspicious activities related to SQL Server processes. Enforce the principle of least privilege for database users and service accounts to minimize the impact of a compromised account. Regularly audit and review SQL Server configurations and permissions to ensure compliance with security best practices.