The vulnerability results from improper neutralization of special elements in SQL commands, enabling an authorized attacker to perform SQL injection that elevates privileges over a network. Key detail from vendor description: "Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network." This flaw, classified as CWE-89, lets an attacker with existing database access gain higher privileges, potentially compromising confidentiality, integrity, and availability of the database system.

According to the CNA information, Microsoft SQL Server 2025 CU 2 and Microsoft SQL Server 2025 for x64-based systems (GDR) are affected. No other specific version information is provided in the data. The CPE list includes earlier SQL Server releases, but the vendor statement limits the impact to SQL Server 2025.

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with the ability to submit SQL commands; the attacker can inject specially crafted input that is not properly sanitized, thereby elevating their privileges. The known attack vector is network‑based, relying on the attacker’s authorized database access.