01 · The Real Story
Calling this plugin Critical is like rating an expired fire extinguisher the same as an active arsonist
Tenable plugin 73756 is a remote version-detection finding, not a proof of exploit. It fingerprints Microsoft SQL Server over the network and flags instances whose self-reported version is past Microsoft support. As of June 1, 2026, that plainly means SQL Server 2014 and earlier are out of support; SQL Server 2016 is still supported until July 14, 2026, so this check should not be used as a blanket 'all old SQL is critical' label.
The vendor severity is overstated for real-world prioritization. Unsupported SQL Server is serious because it stops receiving normal security fixes, which turns every future SQL Server bug into permanent debt, but the plugin itself does not give an attacker code execution, privilege, or data access. You still need a second condition: network reachability, weak auth, a separate SQL Server exploit, or an application path into the instance.
"This is not a live RCE; it’s unsupported software debt on a crown-jewel platform."
02 · The Attack Path
3 steps from start to impact.
STEP 01
Fingerprint the database service with Nessus or nmap
The first step is simple recon: hit TCP
1433 or the instance's configured port and read the TDS/banner metadata. Tenable's own plugin does this remotely, and open tooling like nmap NSE can do similar version discovery. This confirms the target is SQL Server and often narrows it to a major release family.Conditions required:
- Attacker can reach the SQL Server listener over the network
- The instance exposes enough metadata to identify version
Where this breaks in practice:
- Most enterprise SQL servers are internal-only and not directly internet-exposed
- Firewalls, VPN requirements, jump hosts, and private peering shrink reachable population fast
- Named instances and nondefault ports reduce accidental discovery
Detection/coverage: Very high coverage for asset scanners and external attack-surface tools; this is exactly the kind of thing Nessus, Nmap, Censys, and Shodan-style recon catch.
STEP 02
Map the old version to a usable path with Metasploit, Impacket, or app-layer abuse
Once the attacker knows the server is unsupported, they still need a real exploitation path: a version-specific SQL bug, weak credentials, exposed
sa, application SQL injection, or misused features. Unsupported status matters because newly found issues on that branch may never receive normal product fixes, but unsupported status by itself is not the exploit.Conditions required:
- A separate exploit or credential path exists
- The old SQL branch is actually affected by that exploit path
Where this breaks in practice:
- No single CVE is implied by this plugin
- Modern MFA, PAM, app auth boundaries, and network segmentation often block direct SQL logon abuse
- Many shops front SQL Server with applications, not direct client access from untrusted networks
Detection/coverage: Coverage is mixed. Vulnerability scanners can flag unsupported versions, but they cannot prove exploitability without a concrete CVE, auth weakness, or app flaw.
STEP 03
Use SQL access for lateral movement or data theft via mssqlclient.py / native T-SQL
If the attacker gains SQL execution, the impact can be large because SQL Server commonly holds regulated data and can sometimes reach OS-level actions through jobs, linked servers, CLR, or dangerous feature abuse. The blast radius is therefore business-critical, but it is contingent on the attacker already clearing earlier gates.
Conditions required:
- Attacker already has SQL privileges or code execution
- The instance contains valuable data or privileged integrations
Where this breaks in practice:
- Least-privilege database roles and disabled dangerous features reduce impact
- EDR, database auditing, PAM, and service-account restrictions often break post-auth escalation chains
- Tenant/application scoping can limit damage to one app stack
Detection/coverage: Good opportunity for SQL audit logs, Windows eventing, EDR, and privileged access monitoring to catch anomalous logons, job creation,
xp_cmdshell enablement, or linked-server abuse.03 · Intelligence Metadata
The supporting signals.
| What this actually is | A Tenable remote detection for unsupported Microsoft SQL Server versions, not a discrete CVE and not a proof of compromise. |
|---|---|
| Vendor rating | Tenable marks it Critical / 10.0 with manual CVSS because the product is unsupported, not because plugin 73756 demonstrates exploitable impact on its own. |
| In-the-wild status | No CISA KEV entry applies here because this is not a CVE. Unsupported status is a risk amplifier, not an exploitation event by itself. |
| PoC availability | No single PoC applies. Attackers instead pair version fingerprinting with nmap/bannering, credential attacks, application SQLi, or version-specific SQL Server exploits. |
| EPSS | N/A. EPSS scores CVEs; this plugin identifies an unsupported product state. |
| CVSS vector meaning | Tenable uses CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which assumes full remote compromise from version state alone. That is not how this finding behaves operationally. |
| Affected versions now | Per Microsoft lifecycle data, SQL Server 2014 and earlier are out of support as of June 1, 2026. SQL Server 2016 remains supported until July 14, 2026. |
| Fixed state | There is no patch for 'unsupported.' The fix is to move to a supported branch such as SQL Server 2017/2019/2022/2025, or use Microsoft's Extended Security Updates path where eligible. |
| Exposure reality | Microsoft documents TCP 1433 as the default Database Engine port, and CISA's Shodan guide explicitly shows how to locate internet-accessible SQL services. That means exposure is easy to find when admins publish it, but many enterprise deployments are internal-only. |
| Timeline | Tenable published this plugin on 2014-04-29 and last updated it on 2025-10-15. The risk is ongoing lifecycle debt, not a one-day disclosure spike. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to MEDIUM (5.8/10)
The decisive downgrade factor is that this finding requires a second attack path before any real compromise happens. Unsupported SQL Server is dangerous debt on a high-value platform, but the plugin itself only proves age and support status, not exploitability or attacker reach.
HIGH Downgrading vendor `Critical` to a non-emergency operational severity
HIGH Current support-state interpretation for SQL Server 2014 and earlier as of 2026-06-01
MEDIUM Blast-radius assumptions without the user's exposure data or auth model
Why this verdict
- Vendor CVSS is synthetic: Tenable assigns a
10.0manual score to an unsupported state, not to a demonstrated exploit chain. - Requires attacker reach first: unauthenticated remote access to the SQL listener is the first gate; in many enterprises that already implies internal access or a publishing mistake, which materially narrows exposure.
- Requires a second failure: after version detection, the attacker still needs weak credentials, SQLi, misconfiguration, or a concrete SQL Server vulnerability. That compounding friction pulls this well below Critical.
- High-value data keeps it out of LOW: SQL Server commonly backs finance, ERP, line-of-business apps, and regulated data, so unsupported instances carry meaningful residual risk even without a mapped CVE.
- Population matters: if these are internet-exposed legacy SQL servers, the score trends up locally; if they are segmented internal app backends, the practical risk trends down.
Why not higher?
There is no KEV listing, no EPSS because this is not a CVE, and no evidence that plugin 73756 corresponds to a weaponized exploit by itself. Every meaningful impact path depends on another prerequisite beyond 'old version detected,' which is exactly the kind of friction that should prevent a Critical rating.
Why not lower?
This is still a database platform, not a forgotten desktop app. Unsupported SQL Server turns future security issues into unpatchable exposure, often on systems with sensitive data, privileged service accounts, and downstream business dependencies; that keeps it above simple backlog hygiene.
05 · Compensating Control
What to do — in priority order.
- Fence off direct SQL exposure — Restrict inbound access to SQL listeners to known application tiers, admin jump hosts, and approved management networks. For a MEDIUM verdict there is no mitigation SLA, so do this in the current hardening cycle while you work the remediation plan.
- Kill weak and legacy auth paths — Disable or tightly control SQL authentication where possible, rotate privileged SQL logins, and review any exposed
sa-equivalent access. This reduces the most common practical bridge from 'old version' to actual compromise during the 365-day remediation window. - Audit dangerous SQL features — Review
xp_cmdshell, SQL Agent proxies, linked servers, CLR, and broad sysadmin grants. Unsupported versions become much more dangerous when these post-auth amplifiers are left on, so tighten them now as compensating risk reduction. - Prioritize by business tier — Sort findings into internet-exposed, crown-jewel, externally reachable app backends, and everything else. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but tiering tells you which migrations to schedule first.
What doesn't work
- Changing the SQL port from
1433alone doesn't solve the problem; scanners and attackers can still find the listener, and the product remains unsupported. - EDR alone is not enough; it may catch post-compromise behavior on Windows, but it does not restore missing vendor security fixes for the database engine.
- Calling it 'Critical' everywhere doesn't help; it buries true emergency patch work under lifecycle debt and trains teams to ignore the queue.
06 · Verification
Crowdsourced verification payload.
Run this on the target Windows host that has SQL Server installed. Invoke it with powershell -ExecutionPolicy Bypass -File .\check-sql-unsupported.ps1; local read access to HKLM is usually enough, and admin helps if registry permissions are hardened. The script checks installed SQL Server instances and prints VULNERABLE, PATCHED, or UNKNOWN based on Microsoft support dates as of 2026-06-01.
# check-sql-unsupported.ps1
# Exit codes:
# 0 = PATCHED / supported state
# 1 = VULNERABLE / unsupported SQL Server detected
# 2 = UNKNOWN / unable to determine
$ErrorActionPreference = 'SilentlyContinue'
$asOf = Get-Date '2026-06-01'
function Get-SqlSupportState {
param(
[int]$MajorVersion,
[datetime]$Now
)
switch ($MajorVersion) {
{ $_ -le 12 } { return 'VULNERABLE' } # 2014 and earlier unsupported as of 2026-06-01
13 {
$eos = Get-Date '2026-07-14T23:59:59'
if ($Now -gt $eos) { return 'VULNERABLE' } else { return 'PATCHED' }
}
{ $_ -ge 14 } { return 'PATCHED' } # 2017+ supported on 2026-06-01
default { return 'UNKNOWN' }
}
}
function Get-InstanceVersionInfo {
$results = @()
$instanceKey = 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
$wowInstanceKey = 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Microsoft SQL Server\Instance Names\SQL'
$paths = @($instanceKey, $wowInstanceKey)
foreach ($path in $paths) {
if (Test-Path $path) {
$props = Get-ItemProperty -Path $path
foreach ($p in $props.PSObject.Properties) {
if ($p.Name -in @('PSPath','PSParentPath','PSChildName','PSDrive','PSProvider')) { continue }
$instanceName = $p.Name
$instanceId = $p.Value
$setupPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$instanceId\Setup"
$wowSetupPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Microsoft SQL Server\$instanceId\Setup"
$setup = $null
if (Test-Path $setupPath) { $setup = Get-ItemProperty -Path $setupPath }
elseif (Test-Path $wowSetupPath) { $setup = Get-ItemProperty -Path $wowSetupPath }
if ($setup) {
$ver = $setup.Version
if (-not $ver) { $ver = $setup.PatchLevel }
$edition = $setup.Edition
$major = $null
if ($ver -match '^(\d+)\.') { $major = [int]$matches[1] }
$results += [PSCustomObject]@{
InstanceName = $instanceName
InstanceId = $instanceId
Version = $ver
MajorVersion = $major
Edition = $edition
}
} else {
$results += [PSCustomObject]@{
InstanceName = $instanceName
InstanceId = $instanceId
Version = $null
MajorVersion = $null
Edition = $null
}
}
}
}
}
return $results
}
$instances = Get-InstanceVersionInfo
if (-not $instances -or $instances.Count -eq 0) {
Write-Output 'UNKNOWN - No SQL Server instances found in expected registry locations.'
exit 2
}
$overall = 'PATCHED'
$unknownFound = $false
$details = @()
foreach ($i in $instances) {
if ($null -eq $i.MajorVersion) {
$state = 'UNKNOWN'
$unknownFound = $true
} else {
$state = Get-SqlSupportState -MajorVersion $i.MajorVersion -Now $asOf
}
if ($state -eq 'VULNERABLE') { $overall = 'VULNERABLE' }
elseif ($state -eq 'UNKNOWN' -and $overall -ne 'VULNERABLE') { $overall = 'UNKNOWN' }
$details += ('Instance={0}; Version={1}; Edition={2}; State={3}' -f $i.InstanceName, ($i.Version ?? 'unknown'), ($i.Edition ?? 'unknown'), $state)
}
Write-Output ($overall + ' - ' + ($details -join ' | '))
switch ($overall) {
'PATCHED' { exit 0 }
'VULNERABLE' { exit 1 }
default { exit 2 }
}07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, treat this as lifecycle debt on sensitive infrastructure, not as a pager-grade zero-day. First, inventory every host tagged by plugin
73756, split them into internet-exposed, crown-jewel, and ordinary internal app backends, and validate that anything reachable on SQL ports is tightly fenced; for a MEDIUM verdict there is noisgate mitigation SLA — no mitigation SLA — go straight to the 365-day remediation window. Then build an upgrade or migration plan to supported SQL Server releases and close all unsupported instances within the noisgate remediation SLA of ≤365 days, with any directly exposed legacy SQL hosts handled ahead of the rest as an exception queue.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.