KB5063760: Fixes a SQL injection vulnerability in a system stored procedure.
KB5063760 - Description of the security update for SQL Server 2017 GDR: August 12, 2025
Summary
This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:
- CVE-2025-49758 - Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2025-24999 - Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2025-49759 - Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2025-53727 - Microsoft SQL Server Elevation of Privilege Vulnerability
The Microsoft SQL Server components are updated to the following builds in this security update:
- SQL Server - Product version: 14.0.2080.1, file version: 2017.140.2080.1
Improvements and fixes included in this update
Bug reference: 4424549
Description: Fixes a SQL injection vulnerability in a system stored procedure.
Fix area: SQL Server Engine
Component: High Availability and Disaster Recovery
Platform: All
Bug reference: 4432600
Description: Prevents logins with the ALTER ANY LOGIN permission from resetting the passwords of logins that have ALTER ANY LOGIN or IMPERSONATE ANY LOGIN permissions to avoid elevation of privilege.
Fix area: SQL Server Engine
Component: Security Infrastructure
Platform: All
Bug reference: 4435171
Description: Prevents elevation of privilege by running SQL Agent job steps for built-in jobs with reduced permissions.
Fix area: SQL Server Engine
Component: SQL Agent
Platform: All
Bug reference: 4286259
Description: Fixes a vulnerability that lets users who have access to certain stored procedures perform SQL injection and run arbitrary code by using elevated privileges.
Fix area: SQL Server Engine
Component: SQL Server Engine
Platform: All