Hackers Can Leverage SQL Server 2025 AI Features to Exfiltrate

Hackers are consistently finding new avenues to exploit legitimate enterprise features. Microsoft SQL Server 2025’s newly introduced AI capabilities, in particular, are now fueling serious security concerns.

SpecterOps researchers have demonstrated that these built-in features can be leveraged for stealthy data exfiltration and even command-and-control (C2) communication, all from within the database engine itself.

Microsoft introduced SQL Server 2025 with native AI integration to support modern workloads such as Retrieval-Augmented Generation (RAG). However, these same capabilities are now being repurposed by attackers as powerful post-exploitation tools.

The research, along with proof-of-concept (PoC) code, has been publicly released on GitHub, highlighting the real-world risks of these features.

One of the most critical additions is the stored procedure sp_invoke_external_rest_endpoint. This function enables SQL Server to send HTTPS requests to external endpoints directly, without relying on traditional methods such as xp_cmdshell or PowerShell.

While designed for legitimate API communication, it effectively enables attackers to exfiltrate sensitive data over encrypted channels.

SQL Server 2025 AI Features Enable Data Theft

The feature supports payloads up to 100 MB, making it highly efficient for transferring large datasets such as user credentials or database records.

In a demonstrated attack scenario, a compromised SQL Server instance with sysadmin privileges can query sensitive tables, convert the data to JSON, and transmit it to an attacker-controlled server using this procedure.

Because the traffic originates from the database engine and uses HTTPS, it can bypass traditional monitoring tools that rely on detecting suspicious command execution or unusual outbound connections.

Another major feature, CREATE EXTERNAL MODEL, allows SQL Server to integrate with external AI models. This is complemented by AI_GENERATE_EMBEDDINGS, which sends data to these models and receives structured responses.

While intended for AI-driven applications, researchers showed that these functions can be abused to establish covert communication channels.

Attackers can encode commands and responses within AI embedding data, making the traffic appear legitimate and difficult to detect. This capability enables a new form of C2 infrastructure operating entirely within SQL queries.

By combining external model calls with periodic check-ins, attackers can create persistent backdoors that execute commands and return results without deploying traditional malware.

In more advanced scenarios, attackers can load malicious .NET CLR assemblies directly into SQL Server memory, eliminating the need for disk-based payloads and further reducing detection risk.

The research also highlights a technique involving UNC paths in AI model configurations, which can trigger NTLM authentication attempts over SMB.

This allows attackers to capture or relay authentication hashes within a network. Although reported to Microsoft, this behavior was not classified as a security vulnerability, meaning it remains exploitable in current deployments.

Persistence is another concern. Attackers can create database triggers that automatically exfiltrate newly inserted or updated data.

For example, any new user credentials added to a table can be immediately sent to an external server without additional interaction. This turns the database into a continuous data leakage point.

From a defensive standpoint, these developments challenge traditional security assumptions. Historically, outbound web traffic from a database server was considered suspicious.

With SQL Server 2025 normalizing HTTPS communication for AI workloads, distinguishing between legitimate and malicious activity becomes significantly harder.

SpecterOps recommends enforcing strict controls over database privileges, particularly sysadmin accounts, and closely monitoring features such as external REST endpoints and AI model integrations for potential abuse.

Network-level controls, such as restricting outbound connections from database servers, can also help mitigate risk. Additionally, organizations must baseline normal AI-related traffic patterns to detect anomalies effectively.

As AI capabilities continue to be embedded in enterprise software, this case highlights a growing trend in which legitimate features can be weaponized.

SQL Server 2025 demonstrates how innovation without corresponding security controls can expand the attack surface, forcing defenders to adapt to an evolving threat landscape rapidly.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.