cbcvebase.
CVE-2025-55227
published 2025-09-09

CVE-2025-55227: Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a…

high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

Affected

21 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_sql_server_2016_service_pack_3>= 13.0.0 < 13.0.6470.113.0.6470.1
microsoftmicrosoft_sql_server_2016_service_pack_3_azure_connect_feature_pack>= 13.0.0 < 13.0.7065.113.0.7065.1
microsoftmicrosoft_sql_server_2017>= 14.0.0 < 14.0.3505.114.0.3505.1
microsoftmicrosoft_sql_server_2017>= 14.0.0 < 14.0.2085.114.0.2085.1
microsoftmicrosoft_sql_server_2019>= 15.0.0 < 15.0.2145.115.0.2145.1
microsoftmicrosoft_sql_server_2019>= 15.0.0.0 < 15.0.4445.115.0.4445.1
microsoftmicrosoft_sql_server_2022>= 16.0.0 < 16.0.1150.116.0.1150.1
microsoftmicrosoft_sql_server_2022>= 16.0.0.0 < 16.0.4212.116.0.4212.1
microsoftsql_server_2016>= 13.0.6300.2 < 13.0.6470.113.0.6470.1
microsoftsql_server_2016>= 13.0.7000.253 < 13.0.7065.113.0.7065.1
microsoftsql_server_2017>= 14.0.1000.169 < 14.0.2085.114.0.2085.1
microsoftsql_server_2017>= 14.0.3006.16 < 14.0.3505.114.0.3505.1
microsoftsql_server_2019>= 15.0.2000.5 < 15.0.2145.115.0.2145.1
microsoftsql_server_2019>= 15.0.4003.23 < 15.0.4445.115.0.4445.1
microsoftsql_server_2022>= 16.0.1000.6 < 16.0.1150.116.0.1150.1
microsoftsql_server_2022>= 16.0.4003.1 < 16.0.4212.116.0.4212.1
msrcmicrosoft_sql_server_2016_for_x64-based_systems_service_pack_3
msrcmicrosoft_sql_server_2016_for_x64-based_systems_service_pack_3_azure_connect_fea
msrcmicrosoft_sql_server_2017_for_x64-based_systems
msrcmicrosoft_sql_server_2019_for_x64-based_systems
msrcmicrosoft_sql_server_2022_for_x64-based_systems