CVE-2025-55227

Published Sep 9, 2025

Last updated 6 months ago

CVSS high 8.8

Overview

Description: Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
Source: secure@microsoft.com
NVD status: Analyzed
Products: sql_server_2016, sql_server_2017, sql_server_2019, sql_server_2022

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

secure@microsoft.com: CWE-77

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "59CA93B0-4137-4AAC-BB1E-6B2B4F79046A",
            "versionEndExcluding": "13.0.6470.1",
            "versionStartIncluding": "13.0.6300.2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "0CB4799A-6779-4976-8EDF-51562C1FAD86",
            "versionEndExcluding": "13.0.7065.1",
            "versionStartIncluding": "13.0.7000.253",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "B7B97285-2318-4543-BC6C-B623B168765D",
            "versionEndExcluding": "14.0.2085.1",
            "versionStartIncluding": "14.0.1000.169",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "A83261BD-47F9-4435-97F9-49760895FB40",
            "versionEndExcluding": "14.0.3505.1",
            "versionStartIncluding": "14.0.3006.16",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "EC0485DD-0DCE-42E9-86A7-BCF06657C40E",
            "versionEndExcluding": "15.0.2145.1",
            "versionStartIncluding": "15.0.2000.5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "AB92356F-BACC-4BB1-94B5-790081104E88",
            "versionEndExcluding": "15.0.4445.1",
            "versionStartIncluding": "15.0.4003.23",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "DD20A016-AC41-4512-98AA-92E3765036B3",
            "versionEndExcluding": "16.0.1150.1",
            "versionStartIncluding": "16.0.1000.6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "CFAC6C9B-F544-42D4-A490-DD607A7688D4",
            "versionEndExcluding": "16.0.4212.1",
            "versionStartIncluding": "16.0.4003.1",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References