Latest Microsoft SQL Server vulnerabilities #
Microsoft has disclosed three vulnerabilities in certain versions of Microsoft SQL Server:
- SQL Server is affected by a heap-based buffer overflow vulnerability that may allow an authorized adversary to escape the SQL server context and remotely execute code on the target host. Successful exploitation of the vulnerability requires the adversary to prepare the target environment prior to executing a specially crafted query. This vulnerability has been designated CVE-2025-49717 and has been rated high with a CVSS score of 8.5.
- SQL Server is affected by an information disclosure vulnerability due its use of an uninitialized resource. Successful exploitation may allow an unauthorized adversary to remotely inspect heap memory from a privileged process running on the target host. This vulnerability has been designated CVE-2025-49718 and has been rated high with a CVSS score of 7.5.
- SQL Server is affected by an information disclosure vulnerability due to improper input validation. Successful exploitation may allow an unauthorized adversary to remotely inspect uninitialized memory on the target host. This vulnerability has been designated CVE-2025-49719 and has been rated high with a CVSS score of 7.5.
It may be possible that the information returned via CVE-2025-49718 and CVE-2025-49719 could aid in the successful exploitation of CVE-2025-49717, as these vulnerabilities may be useful for disclosing sensitive authentication information or for manipulating heap memory to be more amenable to exploitation.
The following versions are affected by CVE-2025-49717 and CVE-2025-49718
- Microsoft SQL Server 2019 (GDR) versions 15.x prior to 15.0.2135.5
- Microsoft SQL Server 2019 (CU 32) versions 15.x prior to 15.0.4435.7
- Microsoft SQL Server 2022 (GDR) versions 16.x prior to 16.0.4200.1
- Microsoft SQL Server 2022 (CU 19) versions 16.x prior to 16.0.1140.6
The following versions are affected by CVE-2025-49719
- Microsoft SQL Server 2016 for Service Pack 2 (GDR) versions 13.x prior to 13.0.6460.7
- Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack versions 13.x prior to 13.0.7055.9
- Microsoft SQL Server 2017 (GDR) versions 14.x prior to 14.0.2075.8
- Microsoft SQL Server 2017 (CU 31) versions 14.x prior to 14.0.3495.9
- Microsoft SQL Server 2019 (GDR) versions 15.x prior to 15.0.2135.5
- Microsoft SQL Server 2019 (CU 32) versions 15.x prior to 15.0.4435.7
- Microsoft SQL Server 2022 (GDR) versions 16.x prior to 16.0.4200.1
- Microsoft SQL Server 2022 (CU 19) versions 16.x prior to 16.0.1140.6
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise, or leak sensitive information.
Are any updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible.
- Microsoft SQL Server 2016 for Service Pack 2 (GDR) upgrade to version 13.0.6460.7 or later
- Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack upgrade to version 13.0.7055.9 or later
- Microsoft SQL Server 2017 (GDR) upgrade to version 14.0.2075.8 or later
- Microsoft SQL Server 2017 (CU 31) upgrade to version 14.0.3495.9 or later
- Microsoft SQL Server 2019 (GDR) upgrade to version 15.0.2135.5 or later
- Microsoft SQL Server 2019 (CU 32) upgrade to version 15.0.4435.7 or later
- Microsoft SQL Server 2022 (GDR) upgrade to version 16.0.4200.1 or later
- Microsoft SQL Server 2022 (CU 19) upgrade to version 16.0.1140.6 or later
If the SQL Server version is not represented above then it is no longer supported. It is advised users upgrade their software to the latest Service Pack or SQL Server product in order to apply current and future security updates.
How do I find Microsoft SQL Server installations with runZero? #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:=Microsoft AND (product:="SQL Server" OR product:="SQL Server 20%") AND ((version:>=13.0.0 AND version:<13.0.7055.9) OR (version:>=14.0.0 AND version:<14.0.3495.9) OR (version:>=15.0.0 AND version:<15.0.4435.7) OR (version:>=16.0.0 AND version:<16.0.4200.1))