Microsoft SQL Server Privilege Escalation Vulnerability via SQL Injection

A SQL injection vulnerability has been identified in Microsoft SQL Server, allowing an authorized attacker to elevate privileges over a network. This issue arises from improper neutralization of special elements used in SQL commands, enabling attackers with certain permissions to gain administrative rights.

Impact

Exploitation of this vulnerability could allow an authenticated attacker to gain sysadmin privileges on the SQL Server.

Remediation

Users can apply the security update for their specific version of SQL Server. Detailed update instructions are available in the Microsoft Security Update Guide. For SQL Server 2019, the GDR update is recommended if previous GDR updates have been installed, while CU updates should be applied if prior CU updates have been used. SQL Server instances on Windows Azure (IaaS) can also receive these security updates.