Microsoft SQL Server Security Vulnerability – November 2025

Security updates for Microsoft SQL server were rolled out on November 11 2025 as part of Microsoft’s ‘Patch Tuesday’ project. These security updates resolve a single security vulnerability disclosed by Microsoft in the latest security bulletin.

We share details of the security vulnerability impacting Microsoft SQL server software in November 2025.

CVE-2025-59499 – CVSS 8.8 – Elevation of Privileges

CVE-2025-59499 is an elevation of privilege security vulnerability impacting Microsoft SQL Server. Basic details of the vulnerability are:

• CVE-2025-59499
• CVSS 3.1 score – 8.8
• Impact – Information disclosure
• There are no reports of the vulnerability having been exploited in any SQL server editons yet. But, patching is recommended to tide over the security threats.

An attacker could inject arbitrary T-SQL commands by crafting a malicious database name. An attacker who successfully exploited this vulnerability could gain the privileges of the process running the query. For example, if the process running the query containing a SQL injection is sysadmin, the attacker would gain sysadmin privileges.

CVE-2025-59499 – SQL Servers affected

CVE-2025-59499 security vulnerability impacts the following SQL server editions (security update information corresponding to each SQL server edition is mentioned next to the SQL server editions below):

• Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack – resolved in KB5008400
• Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) – resolved in KB5008401
• Microsoft SQL Server 2017 for x64-based Systems (CU 31) – resolved in KB5008402
• Microsoft SQL Server 2017 for x64-based Systems (GDR) – resolved in KB5008403
• Microsoft SQL Server 2019 for x64-based Systems (CU 32) – resolved in KB5008404
• Microsoft SQL Server 2019 for x64-based Systems (GDR) – resolved in KB5008505
• Microsoft SQL Server 2022 for x64-based Systems (CU 21) – resolved in KB5008406
• Microsoft SQL Server 2022 for x64-based Systems (GDR) – resolved in KB5008407

Installation of SQL Server Updates

You could install security updates for SQL server using one of the following methods:

• Microsoft Update can be used to automatically download and install the corresponding security updates for SQL server
• You could download the security update from the Microsoft Download Center
• You could download the offline installer file for SQL Server security updates from the catalog site of Microsoft.

Upon installation of security updates for the SQL server, the server will not restart. However, the server may reboot on account of underlying operating system security updates.