Cyber Resilience

CVE-2025-49718

High

Published: 08 July 2025

Published
08 July 2025
Modified
17 July 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2198 95.9th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49718 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Microsoft Sql Server 2019. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-49718 is a use of uninitialized resource vulnerability, tracked under CWE-908, that affects Microsoft SQL Server. The flaw permits unauthorized information disclosure over a network and carries a CVSS 3.1 base score of 7.5 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

An unauthenticated attacker can send specially crafted network requests to a vulnerable SQL Server instance and obtain sensitive data without any privileges or user interaction. The attack requires only network reachability and succeeds because the server may expose memory contents that were never properly initialized.

Microsoft has published an advisory for CVE-2025-49718 that describes available patches and recommended mitigation steps. The current EPSS score of 0.2198, with a recorded peak of 0.2354, indicates moderate and relatively stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

Use of uninitialized resource in SQL Server allows an unauthorized attacker to disclose information over a network.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
sql server 2019
15.0.2000.5 — 15.0.2135.5 · 15.0.4003.23 — 15.0.4435.7
microsoft
sql server 2022
16.0.1000.6 — 16.0.1140.6 · 16.0.4003.1 — 16.0.4200.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References