CVE-2025-49758

Published Aug 12, 2025

Last updated 6 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-49758 is identified as an SQL injection vulnerability affecting Microsoft SQL Server. This security flaw impacts several versions of SQL Server, specifically including SQL Server 2016, 2017, 2019, and 2022. The vulnerability stems from an improper neutralization of special elements within an SQL command, allowing an authorized attacker to perform SQL injection attacks. This can lead to an attacker elevating their privileges over a network. The vulnerability was publicly disclosed on August 12, 2025, with a corresponding security update released on the same day.

Description: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
Source: secure@microsoft.com
NVD status: Analyzed
Products: sql_server_2016, sql_server_2017, sql_server_2019, sql_server_2022

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

secure@microsoft.com: CWE-269

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*",
            "vulnerable": true,
            "matchCriteriaId": "626A5652-EE42-481E-8EBA-C4953A0139C6",
            "versionEndExcluding": "13.0.6465.1",
            "versionStartIncluding": "13.0.6300.2"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*",
            "vulnerable": true,
            "matchCriteriaId": "AF05D054-6DE2-4C9F-A569-1C119F59BD92",
            "versionEndExcluding": "13.0.7060.1",
            "versionStartIncluding": "13.0.7000.253"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*",
            "vulnerable": true,
            "matchCriteriaId": "5FC21377-F991-41F2-B0F9-096F33D792CA",
            "versionEndExcluding": "14.0.2080.1",
            "versionStartIncluding": "14.0.1000.169"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*",
            "vulnerable": true,
            "matchCriteriaId": "8B7BEE09-9587-4DBC-A0F6-246D5A4ED1B0",
            "versionEndExcluding": "14.0.3500.1",
            "versionStartIncluding": "14.0.3006.16"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*",
            "vulnerable": true,
            "matchCriteriaId": "03C1FDC8-7C32-418B-91C4-7A6CA6B6EB91",
            "versionEndExcluding": "15.0.2140.1",
            "versionStartIncluding": "15.0.2000.5"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*",
            "vulnerable": true,
            "matchCriteriaId": "1F64886B-B06F-437C-9FA4-093AD4B67411",
            "versionEndExcluding": "15.0.4440.1",
            "versionStartIncluding": "15.0.4003.23"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*",
            "vulnerable": true,
            "matchCriteriaId": "028D984C-9E62-45EC-8EA2-C3083ADBA0B7",
            "versionEndExcluding": "16.0.1145.1",
            "versionStartIncluding": "16.0.1000.6"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*",
            "vulnerable": true,
            "matchCriteriaId": "08F67AFA-E308-4BD9-8525-55D3839D83F9",
            "versionEndExcluding": "16.0.4210.1",
            "versionStartIncluding": "16.0.4003.1"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.