Microsoft has released a security update addressing a severe vulnerability in Microsoft SQL Server identified as CVE-2025-59499. This flaw, classified as an Elevation of Privilege vulnerability, carries a CVSS score of 8.8, making it a high-risk issue for enterprise environments.
What is CVE-2025-59499?
The vulnerability stems from improper neutralization of special elements in SQL commands (aligned with CWE-89). Attackers with low privileges can exploit this flaw by creating a malicious database name containing SQL control characters.
When processed, this input could allow arbitrary T-SQL commands to execute under the security context of the SQL Server process. If that process runs with high-privilege roles like sysadmin, attackers could escalate privileges to full administrative control.
Affected SQL Server Versions
The flaw impacts multiple SQL Server generations:
- SQL Server 2022
- SQL Server 2019
- SQL Server 2017
- SQL Server 2016
Microsoft has released updates for all supported baselines under General Distribution Release (GDR) and Cumulative Update (CU) channels.
Severity and Exploitability
- CVSS Score: 8.8 (High)
- Attack Complexity: Low
- Impact: Confidentiality, Integrity, and Availability
- Network Exploitable: Yes
- User Interaction: None required
Although Microsoft rates the exploitability as “less likely”, organizations are strongly advised to patch immediately.
Update Packages and KB References
Microsoft has provided security updates for each version:
- SQL Server 2022: KB 5068406 (CU21+GDR)
- SQL Server 2019: KB 5068404 (CU32+GDR)
- SQL Server 2017: KB 5068402 (CU31+GDR)
Each build includes fixes for security and servicing issues, ensuring compliance and protection against this injection flaw.
Mitigation and Update Guidance
To secure your environment:
- Identify your SQL Server build number.
- Apply the correct update path:
- GDR patch for systems using only GDR updates.
- CU security package for cumulative update installations.
- Azure-hosted SQL Server (IaaS) instances can be patched via Microsoft Update or manual installation.
Failure to apply these updates could expose critical data systems to privilege escalation, unauthorized command execution, and administrative compromise.
Coordinated Disclosure
Microsoft acknowledged collaboration with Pythian researchers for responsible disclosure of this vulnerability.
Why Immediate Action Matters
Enterprise SQL Server deployments often host sensitive data. A successful exploit could lead to complete administrative takeover, making this patch a top priority for IT teams.
