SQL Server 2025 AI Features Enable Data Exfiltration

by ddos · June 17, 2026

SQL Server 2025 AI features exploited for data exfiltration and command and control

Databases have long evolved beyond mere tabular repositories. However, new functionalities within SQL Server 2025 illustrate the inherent dangers of this progression. Recently, SpecterOps researchers discovered significant vulnerabilities. They detailed how attackers can abuse built-in artificial intelligence features. Consequently, malicious actors can exfiltrate sensitive data from corporate networks. Furthermore, they can establish communication with external command-and-control servers.

The Danger of External Web Requests

The primary risk stems from novel, native tools within SQL Server 2025. These mechanisms allow the system to contact external web addresses and AI models directly. Specifically, these include the `sp_invoke_external_rest_endpoint` procedure, the `CREATE EXTERNAL MODEL` command, and the `AI_GENERATE_EMBEDDINGS` function. Normally, these features assist developers in building advanced AI systems. They enable the database to interact with external models and generate text embeddings seamlessly. Therefore, they play a crucial role in navigating internal corporate knowledge bases.

Unfortunately, these exact mechanisms provide a convenient outbound channel for attackers. If an adversary compromises a highly privileged SQL Server account, severe consequences follow. They can easily compel the database to transmit data to an external HTTPS server. Importantly, this exfiltration requires no third-party tools or suspicious operating system commands. The database server executes the request autonomously. Moreover, a single transmission can quietly move up to 100 megabytes of data.

Automated Data Exfiltration via Triggers

Demonstration scenarios highlighted the severe potential of this weaponized database. Attackers successfully transmitted complete table contents and local disk files. Additionally, they configured triggers to send database updates automatically. This specific technique proves especially perilous. Instead of extracting entire tables, adversaries can seamlessly forward new records upon any modification. To traditional security systems, this malicious traffic simply masquerades as a legitimate SQL Server query interacting with an external AI service.

Exploiting External ONNX Models

Another alarming scenario involves external ONNX models. SQL Server currently permits administrators to specify network paths for these models. Consequently, attackers can force the system to authenticate via NTLM over SMB. This clever tactic allows adversaries to intercept valuable password hashes. Alternatively, they can attempt to relay these credentials deeper into the corporate domain. Microsoft received a detailed report regarding this specific behavior. Nevertheless, the tech giant concluded that it does not violate established security boundaries.

Establishing Command and Control Channels

The most disturbing revelation concerns command-and-control infrastructure. Adversaries can combine these new AI features with existing SQL Server capabilities. Ultimately, this creates a robust, fully functional communication channel with external malicious servers. In one particular variation, attackers executed commands via `xp_cmdshell`. In a more sophisticated approach, they utilized a .NET CLR assembly loaded directly into the SQL Server memory space. Ultimately, this stealthy method effectively disguises malicious traffic as routine AI vector processing.

Defensive Strategies and Mitigation

To defend against these threats, administrators must rigorously review all SQL Server account permissions. They should immediately revoke the `sysadmin` role wherever it remains unnecessary. Furthermore, security teams must actively monitor specific database activities. They must track the activation of `sp_invoke_external_rest_endpoint` and the creation of external models. Similarly, monitoring `xp_cmdshell` executions, SQL Server Agent job assignments, and CLR assembly loads remains critical. Standard SQL Server logs frequently lack the necessary visibility for this task. Therefore, administrators must configure comprehensive audits or extended events to capture actual query text.

As a separate precaution, organizations should completely block outbound HTTPS connections from database servers to unknown addresses. If a company genuinely requires these AI functionalities, they should host the models internally. Consequently, security teams must strictly limit all external network traffic. Otherwise, a classic indicator of compromise a database suddenly accessing the internet will gradually normalize. Thus, distinguishing malicious abuse from legitimate AI operations will become increasingly difficult.

Ultimately, SQL Server 2025 highlights a much broader industry problem. Integrating AI features into corporate products expands developer capabilities significantly. However, it simultaneously arms attackers with powerful new tools. When a database acquires native methods to contact external services, defense strategies must evolve. Security teams can no longer simply monitor network connections. Instead, they must meticulously scrutinize query contents, user roles, and the entire sequence of internal system actions.