CVE-2025-49718
Published: 08 July 2025
Summary
CVE-2025-49718 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Microsoft Sql Server 2019. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-49718 is a use of uninitialized resource vulnerability, tracked under CWE-908, that affects Microsoft SQL Server. The flaw permits unauthorized information disclosure over a network and carries a CVSS 3.1 base score of 7.5 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
An unauthenticated attacker can send specially crafted network requests to a vulnerable SQL Server instance and obtain sensitive data without any privileges or user interaction. The attack requires only network reachability and succeeds because the server may expose memory contents that were never properly initialized.
Microsoft has published an advisory for CVE-2025-49718 that describes available patches and recommended mitigation steps. The current EPSS score of 0.2198, with a recorded peak of 0.2354, indicates moderate and relatively stable exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20550
Vulnerability details
Use of uninitialized resource in SQL Server allows an unauthorized attacker to disclose information over a network.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.