False Positive Microsoft SQL (MSSQL) Server Brute Force Logins With Default Credentials (Remote)

I’m experiencing a false positive for Microsoft SQL (MSSQL) Server Brute Force Logins With Default Credentials (Remote) with OID on multiple host in multiple networks.


Testing of the following account(s) has been stopped due to reaching the configured threshold of "2":


However, these accounts are disabled/or do not exist. It seems like the scanner “thinks” it could login, while it could not.

Is anyone seeing this? How can I provide more information to troubleshoot?

It seems there is a misunderstanding on this result, this is just a “log level” / 0.0 score based informative result (via a used log_message()) that the VT in question has stopped to test these accounts because reaching the defined threshold of testing these (defined via the preferences of the VT in question).

No false positive is involved here as the message doesn’t say / tell that a log in was possible via these accounts and there is no severity assigned to this result.

1 Like

Thank you for your answer.

I see something is going wrong in my system.

The CVSS base vector and score indicate that this is a critical/high severity but I didn’t look at the log message field. Thank you

script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");