CVE-2025-55227

Published: Sep 9, 2025Modified: Sep 12, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: secure@microsoft.com (Secondary)

Description

Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

Affected (8)

Products: Microsoft: Sql Server 2016, Sql Server 2017, Sql Server 2019, Sql Server 2022

4 products

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Microsoft Sql Server 2016	From 13.0.6300.2 to 13.0.6470.1
Microsoft Sql Server 2016	From 13.0.7000.253 to 13.0.7065.1
Microsoft Sql Server 2017	From 14.0.1000.169 to 14.0.2085.1
Microsoft Sql Server 2017	From 14.0.3006.16 to 14.0.3505.1
Microsoft Sql Server 2019	From 15.0.2000.5 to 15.0.2145.1
Microsoft Sql Server 2019	From 15.0.4003.23 to 15.0.4445.1
Microsoft Sql Server 2022	From 16.0.1000.6 to 16.0.1150.1
Microsoft Sql Server 2022	From 16.0.4003.1 to 16.0.4212.1

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (1)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55227

Source: secure@microsoft.com

Vendor Advisory

Timeline

No history available yet.