SQL Injection Vulnerability in Microsoft SQL Server
CVE-2025-49758

8.8HIGH

Key Information:

Vendor

Microsoft
Status
Microsoft Sql Server 2017 (gdr)
Microsoft Sql Server 2019 (gdr)
Microsoft Sql Server 2016 Service Pack 3 (gdr)
Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Vendor
CVE Published:
12 August 2025

What is CVE-2025-49758?

An SQL injection vulnerability in Microsoft SQL Server permits an authorized attacker to manipulate SQL commands by improperly neutralizing special elements. This flaw could enable the attacker to elevate their privileges over a network, potentially compromising sensitive data and the integrity of database operations.

Affected Version(s)

Microsoft SQL Server 2016 Service Pack 3 (GDR) x64-based Systems 13.0.0 < 13.0.6465.1

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack x64-based Systems 13.0.0 < 13.0.7060.1

Microsoft SQL Server 2017 (CU 31) x64-based Systems 14.0.0 < 14.0.3500.1

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-49758 : SQL Injection Vulnerability in Microsoft SQL Server