Microsoft has released critical security updates for all supported versions of SQL Server to address CVE-2025-49758, a severe SQL injection vulnerability that could allow an authenticated attacker to escalate privileges to sysadmin level over the network. The flaw, rated as Elevation of Privilege, stems from improper neutralization of special elements in SQL commands, commonly known as SQL injection. Administrators are urged to apply the patches immediately, especially for any SQL Server instance accessible from the internet or untrusted networks.

What is CVE-2025-49758?

The vulnerability exists in Microsoft SQL Server and is classified as an SQL injection (SQLi). When exploited, an authorized attacker with low-privileged access can craft malicious SQL statements to elevate their permissions. This could lead to full database compromise, lateral movement within the network, and unauthorized access to sensitive data. Although exploitation requires authentication, the ability to escalate from a low-privileged account to sysadmin makes this vulnerability particularly dangerous in multi-tenant environments, shared hosting, and applications with dynamic SQL.

Affected Versions and Patch Details

Microsoft’s advisory includes updates for SQL Server 2022, 2019, 2017, and 2016 SP3 (Azure Connect Feature Pack). Each version has both General Distribution Release (GDR) and Cumulative Update (CU) paths. The following table summarizes the update packages, version numbers, and applicability:

Update Number Title Version Apply if current version is… Includes servicing releases up through…
5063814 Security update for SQL Server 2022 CU20+GDR 16.0.4210.1 16.0.4003.1 – 16.0.4205.1 KB 5059390 - SQL2022 RTM CU20
5063756 Security update for SQL Server 2022 RTM+GDR 16.0.1145.1 16.0.1000.6 – 16.0.1140.6 KB 5058712 - Previous SQL2022 RTM GDR
5063757 Security update for SQL Server 2019 CU32+GDR 15.0.4440.1 15.0.4003.23 – 15.0.4435.7 KB 5058722 - Previous SQL2019 RTM CU32 GDR
5063758 Security update for SQL Server 2019 RTM+GDR 15.0.2140.1 15.0.2000.5 – 15.0.2135.5 KB 5058713 - Previous SQL2019 RTM GDR
5063759 Security update for SQL Server 2017 CU31+GDR 14.0.3500.1 14.0.3006.16 – 14.0.3495.9 KB 5058714 - Previous SQL2017 RTM CU31 GDR
5063760 Security update for SQL Server 2017 RTM+GDR 14.0.2080.1 14.0.1000.169 – 14.0.2075.8 KB 5058716 - Previous SQL2017 RTM GDR
5063761 Security update for SQL 2016 Azure Connect Feature Pack 13.0.7060.1 13.0.7000.253 – 13.0.7055.9 KB 5058717 - Previous SQL2016 Azure Connect Feature Pack GDR
5063762 Security update for SQL Server 2016 SP3 RTM+GDR 13.0.6465.1 13.0.6300.2 – 13.0.6460.7 KB 5058718 - Previous SQL2016 RTM GDR

Choose the GDR update if you have only installed previous GDR fixes; choose the CU update if you have previously applied a CU. Note: once you move to the CU path, you cannot go back to GDR for that baseline.

Instances running versions older than those listed (e.g., SQL Server 2008/2012/2014) are no longer supported and must be upgraded to a supported release to receive this fix.

Immediate Containment and Response

Treat this vulnerability as a high-priority patch for any SQL Server accessible from the internet or wide intranet. Security teams should execute the following steps within the first 24 hours:

  • Block external access: Use firewall rules or network security groups to restrict access to SQL Server ports (TCP 1433, UDP 1434) to only trusted management networks or application servers via VPN.
  • Apply the patch: After testing in a staging environment, deploy the security update to all affected production instances, prioritizing internet-facing systems.
  • Rotate credentials: If you detect suspicious activity, change passwords for high-privilege accounts (sa, service accounts) and monitor for unauthorized logins.
  • Enable auditing: Immediately turn on SQL Server Audit or Extended Events to capture security-related DDL changes, logins, and privilege alterations. Preserve existing logs for forensic analysis.

Detection Strategies

SQL injection attempts exploiting CVE-2025-49758 may leave traces in SQL Server and system logs. Focus on the following indicators:

  • Unusual use of sp_executesql with concatenated strings.
  • Queries containing stacked statements (semicolons followed by additional SQL) or comment injection sequences.
  • DDL statements that alter server roles or create logins: ALTER SERVER ROLE, sp_addsrvrolemember, ALTER LOGIN, CREATE LOGIN.
  • Logins from unfamiliar hosts or at unusual times, followed by privilege changes.

Use SQL Server Audit to record these events. For example, to search audit files for privilege changes:

SELECT event_time, server_principal_name, statement
FROM fn_get_audit_file('C:\Path\To\Audit*.sqlaudit', DEFAULT, DEFAULT)
WHERE statement LIKE '%ALTER LOGIN%' OR statement LIKE '%CREATE LOGIN%' OR statement LIKE '%sp_addsrvrolemember%';

For real-time monitoring, set up Extended Events sessions capturing sql_statement_completed and rpc_completed filtered on suspicious patterns. Forward relevant logs to your SIEM and create alerts for the above keywords.

Long-Term Hardening

Beyond patching, organizations should implement proactive measures to reduce the risk of SQL injection and privilege escalation:

  • Parameterize all queries: Replace dynamic SQL string concatenation with parameterized queries using sp_executesql or appropriate driver APIs.
  • Principle of least privilege: Application accounts should only have the minimum permissions needed. Avoid assigning the sysadmin or db_owner roles to application logins.
  • Input validation: Enforce strict server-side validation on all user-supplied data, using allowlists for known safe values.
  • Network segmentation: Place SQL Servers in isolated subnets accessible only by application servers, never directly from the internet.
  • Web Application Firewall (WAF): For web applications, deploy a WAF as a compensating control to block common SQLi patterns—but treat it as a temporary measure, not a fix.
  • Regular code reviews and testing: Integrate static analysis (SAST) and dynamic testing (DAST) into CI/CD pipelines to catch injection flaws early.

Patch Deployment Guidance

A controlled rollout minimizes disruption while ensuring protection:

  1. Inventory instances: Run SELECT @@VERSION; on each SQL Server to determine the exact build number and patch level.
  2. Test in staging: Apply the update in a non-production environment that mirrors your production workload. Verify that applications, replication, backups, and jobs function correctly.
  3. Update drivers if needed: Some patches may require updated ODBC/OLE DB drivers. Check Microsoft’s documentation and test client connectivity.
  4. Roll out to production: Start with low-risk instances, then proceed to business-critical ones. Keep a rollback plan (uninstall patch or restore from snapshot).
  5. Validate post-patch: Confirm that applications connect successfully and no performance regressions occur.

Incident Response and Forensics

If you suspect exploitation of CVE-2025-49758, preserve evidence before making changes:
- Take database and system snapshots.
- Export SQL Server error logs, Windows event logs, and network captures.
- Snapshot current logins and role memberships using:

SELECT name, type_desc, is_disabled FROM sys.server_principals;
SELECT * FROM sys.server_role_members;
  • Look for lateral movement signs: new scheduled tasks, service installations, or unusual SMB/RDP authentications.

The combination of immediate patching, vigilant monitoring, and long-term code hygiene will significantly lower the risk posed by SQL injection vulnerabilities. With CVE-2025-49758 actively addressed in Microsoft’s latest update cycle, administrators have a clear path to safeguard their SQL Server environments.