Hackers Can Leverage SQL Server 2025 AI Features
Overview Microsoft’s SQL Server 2025 was designed to bring AI into enterprise databases — but research from SpecterOps shows that these same features can be weaponized for data exfiltration and command‑and‑control (C2) operations. The findings reveal how legitimate AI functions can be repurposed by attackers to steal data and establish persistent backdoors without deploying traditional malware. How Attackers Exploit SQL Server AI Features At the core of the research is the stored procedure sp_invoke_external_rest_endpoint, which allows SQL Server to send HTTPS requests to external endpoints directly from the database engine. Originally intended for API integration, this feature can be abused to exfiltrate sensitive data over encrypted channels. Feature Legitimate Purpose Abuse Scenario sp_invoke_external_rest_endpoint Enables secure API calls from SQL Server Sends data to attacker‑controlled servers via HTTPS CREATE EXTERNAL MODEL Integrates AI models for RAG workloads Establishes covert C2 channels through AI embeddings AI_GENERATE_EMBEDDINGS Generates structured AI responses Encodes commands and responses within AI traffic Because the traffic originates from the database engine and uses HTTPS, it can bypass traditional security tools that monitor for PowerShell or xp_cmdshell execution. Real‑World Attack Scenarios SpecterOps demonstrated how a compromised SQL Server instance with sysadmin privileges can query sensitive tables, convert data to JSON, and transmit it to an external server using the REST endpoint procedure. Attackers can also use AI model calls to create persistent C2 channels: In advanced cases, attackers can abuse UNC paths in AI model configurations to trigger NTLM authentication attempts over SMB, capturing or relaying hashes within the network. Microsoft did not classify this behavior as a vulnerability, leaving it exploitable in current deployments. Persistence and Continuous Data Leakage Attackers can create database triggers that automatically exfiltrate newly inserted or updated records. For example, any new user credentials added to a table can be instantly sent to an external server — turning the database into a continuous data leakage point. This approach blurs the line between legitimate AI workloads and malicious activity, making traditional detection methods ineffective. Defensive Recommendations […]