Impact
The vulnerability is a missing authentication check for a critical function in Microsoft SQL Server. An attacker who already has authorized access can invoke this function to attain higher privileges within the database engine. The description does not give details beyond privilege escalation, and no broader data access is explicitly indicated.
Affected Systems
Microsoft SQL Server 2022 (GDR) and the x64-based version with CU 22, as well as Microsoft SQL Server 2025 (GDR). The affected releases include the 17.0.1000.7 build for the x64 platform.
Risk and Exploitability
The CVSS score is 7.2, reflecting a high severity, while the EPSS score is 1%, indicating that exploitation is unlikely to be widely observed. The vulnerability is not listed in the CISA KEV catalog, further suggesting low exploit visibility. The likely attack vector is remote network-based. Once the attacker has authenticated to SQL Server, they can invoke the vulnerable function and gain privileges beyond those originally granted.
OpenCVE Enrichment