CVE-2025-49718: 
vulnerability analysis and mitigation

CVE-2025-49718 is a security vulnerability affecting Microsoft SQL Server that was disclosed on July 8, 2025. The vulnerability is classified as an information disclosure issue stemming from the use of uninitialized resources in SQL Server, which could allow unauthorized attackers to access sensitive information over a network (NVD, MITRE CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The technical root cause has been identified as a Use of Uninitialized Resource (CWE-908) vulnerability that specifically affects the SQL Server component (NVD).

The vulnerability allows unauthorized attackers to disclose information over a network. Based on the CVSS scoring, the vulnerability has high confidentiality impact but does not affect system integrity or availability (NVD).

Microsoft has released security update KB5058712 to address this vulnerability. The update is available through Windows Update, Microsoft Update Catalog, and as a standalone package. The fix addresses the issue where uninitialized memory can be read in some rare cases when using variable length parameters (KB Article).