Cyber Resilience

CVE-2025-49758

High

Published: 12 August 2025

Published
12 August 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0129 80.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49758 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Microsoft Sql Server 2016. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-49758 is an SQL injection vulnerability caused by improper neutralization of special elements in SQL commands within SQL Server. The issue is classified under CWE-269 and received a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and low privileges required for exploitation.

An authorized attacker can leverage the flaw over a network to elevate privileges on the affected SQL Server instance, resulting in high impact to confidentiality, integrity, and availability. The current and peak EPSS scores both stand at 0.0129, indicating no material increase in observed exploitation interest since disclosure.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49758 provides official guidance on mitigation and patching.

EU & UK References

Vulnerability details

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

SQL injection leading to authenticated remote privilege escalation directly matches Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-49759Same product: Microsoft Sql Server 2016
CVE-2025-59499Same product: Microsoft Sql Server 2016
CVE-2025-24999Same product: Microsoft Sql Server 2016
CVE-2025-53727Same product: Microsoft Sql Server 2016
CVE-2026-26115Same product: Microsoft Sql Server 2016
CVE-2026-26116Same product: Microsoft Sql Server 2016
CVE-2025-55227Same product: Microsoft Sql Server 2016
CVE-2026-21262Same product: Microsoft Sql Server 2016
CVE-2025-21287Same vendor: Microsoft
CVE-2026-21533Same vendor: Microsoft

Affected Assets

microsoft
sql server 2016
13.0.6300.2 — 13.0.6465.1 · 13.0.7000.253 — 13.0.7060.1
microsoft
sql server 2017
14.0.1000.169 — 14.0.2080.1 · 14.0.3006.16 — 14.0.3500.1
microsoft
sql server 2019
15.0.2000.5 — 15.0.2140.1 · 15.0.4003.23 — 15.0.4440.1
microsoft
sql server 2022
16.0.1000.6 — 16.0.1145.1 · 16.0.4003.1 — 16.0.4210.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs to neutralize special elements in SQL commands, preventing SQL injection exploitation.

prevent

Mandates timely remediation of identified flaws, such as applying Microsoft's patch for this SQL Server SQL injection vulnerability.

prevent

Enforces least privilege to restrict the damage from privilege escalation even if SQL injection partially succeeds.

References