13.0.6465.1
13.0.7060.1
14.0.3500.1
14.0.2080.1
15.0.4440.1
15.0.2140.1
16.0.4210.1
16.0.1145.1
CVE-2025-49758 describes a SQL injection vulnerability within Microsoft SQL Server. This flaw allows an authenticated attacker to execute arbitrary SQL commands, potentially leading to privilege escalation and unauthorized data access. The vulnerability impacts SQL Server versions up to and including 16.0.4210.1. A patch is available from Microsoft, resolving this critical security issue.
Successful exploitation of CVE-2025-49758 grants an attacker the ability to inject malicious SQL code into database queries. This can lead to a wide range of damaging consequences, including unauthorized access to sensitive data, modification or deletion of critical database records, and even complete compromise of the SQL Server instance. An attacker could potentially gain control over the entire system if the SQL Server account has sufficient privileges. The impact is particularly severe in environments where SQL Server handles sensitive information like financial data, personal identifiable information (PII), or intellectual property. This vulnerability shares similarities with other SQL injection attacks, where attackers leverage improper input validation to manipulate database queries.
CVE-2025-49758 was publicly disclosed on 2025-08-12. Its severity is rated HIGH with a CVSS score of 8.8. While no public proof-of-concept (PoC) code has been released as of this writing, the nature of SQL injection vulnerabilities makes it likely that exploits will emerge. The vulnerability is not currently listed on the CISA KEV catalog, but this could change as more information becomes available. Active campaigns targeting SQL Server vulnerabilities are common, so organizations should prioritize patching.
Organizations heavily reliant on Microsoft SQL Server for data storage and management are at significant risk. This includes businesses in the financial, healthcare, and retail sectors. Systems with legacy applications that do not properly sanitize user input are particularly vulnerable. Shared hosting environments where multiple applications share the same SQL Server instance also face increased risk.
• windows / mssql:
Get-SQLAuthenticationMethod | Select-Object Name, AuthenticationType• linux / server:
ps aux | grep sqlservr• database (mysql, redis, mongodb, postgresql):
-- CVE-2025-49758 Detection: Check for unusual stored procedures
SELECT name FROM sys.procedures WHERE definition LIKE '%EXEC sp_executesql%';• generic web:
curl -I https://your-sql-server-endpoint/ --header "X-Custom-Header: \" or 1=1 --"disclosure
漏洞利用状态
EPSS
0.13% (32% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-49758 is to upgrade to Microsoft SQL Server version 16.0.4210.1 or later, which includes the necessary security fixes. Before upgrading, it’s crucial to review Microsoft’s documentation for compatibility and potential breaking changes. If an immediate upgrade is not feasible, consider implementing stricter input validation and parameterized queries within your applications to prevent SQL injection attacks. Web application firewalls (WAFs) can also be configured to detect and block malicious SQL injection attempts. Regularly review database permissions and ensure that users only have the minimum necessary privileges.
Aplique las actualizaciones de seguridad proporcionadas por Microsoft para Microsoft SQL Server. Consulte el boletín de seguridad de Microsoft CVE-2025-49758 para obtener información específica sobre las versiones afectadas y las actualizaciones correspondientes. Se recomienda realizar copias de seguridad antes de aplicar cualquier actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-49758 is a high-severity SQL injection vulnerability affecting Microsoft SQL Server versions up to 16.0.4210.1, allowing attackers to potentially elevate privileges and access sensitive data.
If you are running Microsoft SQL Server version 16.0.4210.1 or earlier, you are potentially affected by this vulnerability. Check your version and apply the patch immediately.
Upgrade to Microsoft SQL Server version 16.0.4210.1 or later. Prior to upgrading, review Microsoft’s documentation for compatibility and potential breaking changes.
While no public exploits are currently available, the nature of SQL injection vulnerabilities suggests exploitation is likely. Organizations should prioritize patching to mitigate this risk.
Refer to the official Microsoft Security Update Guide for CVE-2025-49758: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49758](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49758)