CVE-2025-49758: 
vulnerability analysis and mitigation

CVE-2025-49758 is a SQL injection vulnerability discovered in Microsoft SQL Server that was disclosed on August 12, 2025. The vulnerability affects multiple versions of SQL Server including SQL Server 2016, 2017, 2019, and 2022. This security issue allows an authorized attacker to perform SQL injection attacks through a system stored procedure (NVD).

The vulnerability is classified as an 'Improper neutralization of special elements used in an SQL command' (SQL injection) with a CVSS v3.1 Base Score of 8.8 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

The vulnerability allows an authorized attacker to elevate privileges over a network through SQL injection attacks. This could potentially lead to unauthorized access to sensitive data, modification of database contents, and compromise of system integrity (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are available in SQL Server 2016 (13.0.6465.1), SQL Server 2017 (14.0.2080.1, 14.0.3500.1), SQL Server 2019 (15.0.2140.1, 15.0.4440.1), and SQL Server 2022 (16.0.1145.1, 16.0.4210.1). Users are strongly advised to apply these updates (KB5063757).