CVE-2025-47997: 
vulnerability analysis and mitigation

CVE-2025-47997 is a Microsoft SQL Server Information Disclosure vulnerability discovered and disclosed in September 2025. The vulnerability affects SQL Server 2016 Service Pack 3 and involves a race condition that can lead to network-based information disclosure. Specifically, the vulnerability exists in scenarios where Dynamic Management Views (DMVs) are used to inspect the text of statements running in other sessions that might contain sensitive data (Microsoft KB).

The vulnerability is rated as Important severity with a CVSS v3.1 base score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). The issue stems from a race condition in SQL Server that can expose sensitive information when DMVs are used in specific scenarios to inspect statement text from other sessions (Bleeping Computer, GBHackers).

The vulnerability allows attackers to access sensitive information through network-based information disclosure. When exploited, attackers can view the text of statements running in other sessions which may contain confidential data (Cyber Security News).

Microsoft has released security update KB5065226 for SQL Server 2016 SP3 GDR that addresses this vulnerability. The update is available through Windows Update, Microsoft Update Catalog, and as a standalone package that can be downloaded from the Microsoft Download Center. System administrators are strongly urged to apply this security update promptly (Microsoft KB).