Microsoft SQL Server Privilege Escalation Vulnerability via SQL Injection

A SQL injection vulnerability has been identified in Microsoft SQL Server, allowing an authorized attacker to inject arbitrary T-SQL commands and elevate privileges over a network. This issue arises from improper neutralization of special elements used in SQL commands, enabling the injection of malicious database names that could be exploited to gain administrator privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing an attacker to gain administrative rights on the affected SQL Server instance.

Remediation

Users can apply the security update for their specific version of SQL Server. Detailed update instructions are available in the Microsoft Knowledge Base. Security updates can also be applied to SQL Server instances on Windows Azure (IaaS) via Microsoft Update or manually through the Microsoft Download Center.