Cyber Resilience

CVE-2025-47954

High

Published: 12 August 2025

Published
12 August 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0376 88.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47954 is a high-severity SQL Injection (CWE-89) vulnerability in Microsoft Sql Server 2022. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an SQL injection issue tracked as CWE-89 that affects SQL Server. It arises from improper neutralization of special elements in SQL commands and carries a CVSS 3.1 score of 8.8 with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

An authorized attacker with network access can exploit the flaw to elevate privileges on the affected SQL Server instance, resulting in high impact to confidentiality, integrity, and availability.

The Microsoft Security Response Center advisory published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47954 addresses CVE-2025-47954. The associated EPSS score remains flat at a peak and current value of 0.0376 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

SQL injection in SQL Server directly enables remote privilege escalation by an authenticated attacker (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-49759Same product: Microsoft Sql Server 2022
CVE-2025-59499Same product: Microsoft Sql Server 2022
CVE-2025-53727Same product: Microsoft Sql Server 2022
CVE-2026-26116Same product: Microsoft Sql Server 2022
CVE-2026-20803Same product: Microsoft Sql Server 2022
CVE-2025-24999Same product: Microsoft Sql Server 2022
CVE-2025-49758Same product: Microsoft Sql Server 2022
CVE-2026-26115Same product: Microsoft Sql Server 2022
CVE-2025-49717Same product: Microsoft Sql Server 2022
CVE-2025-59213Same vendor: Microsoft

Affected Assets

microsoft
sql server 2022
16.0.1000.6 — 16.0.1145.1 · 16.0.4003.1 — 16.0.4210.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly and comprehensively mitigates SQL injection (CWE-89) by requiring validation of information inputs to prevent improper neutralization of special elements in SQL commands.

prevent

Requires timely identification, reporting, and correction of known flaws like this SQL injection vulnerability in SQL Server through patching.

prevent

Ensures vulnerabilities such as CVE-2025-47954 are scanned for and remediated promptly to prevent remote privilege escalation exploitation.

References