CVE-2025-49759: 
vulnerability analysis and mitigation

CVE-2025-49759 is a SQL injection vulnerability discovered in Microsoft SQL Server that was disclosed on August 12, 2025. The vulnerability affects multiple versions of SQL Server including SQL Server 2016, 2017, 2019, and 2022. This security flaw allows an authorized attacker to perform SQL injection attacks through improper neutralization of special elements used in SQL commands (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It affects multiple versions of SQL Server, including SQL Server 2016 (13.0.6300.2 to 13.0.6465.1), SQL Server 2017 (14.0.1000.169 to 14.0.2080.1), SQL Server 2019 (15.0.2000.5 to 15.0.2140.1), and SQL Server 2022 (16.0.1000.6 to 16.0.1145.1) (NVD).

The vulnerability allows an authorized attacker to elevate privileges over a network through SQL injection attacks. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, and elevation of privileges within the system (NVD).

Microsoft has released security updates to address this vulnerability as part of the August 2025 Patch Tuesday updates. The fix is included in SQL Server 2019 CU32 (version 15.0.4440.1) and addresses the SQL injection vulnerability in system stored procedures (Microsoft Support).