KB5063758: Fixes a vulnerability that lets users who have access to certain stored procedure

KB5063758 - Description of the security update for SQL Server 2019 GDR: August 12, 2025

Summary
This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2025-49758 - Microsoft SQL Server Elevation of Privilege Vulnerability
• CVE-2025-24999 - Microsoft SQL Server Elevation of Privilege Vulnerability
• CVE-2025-49759 - Microsoft SQL Server Elevation of Privilege Vulnerability
• CVE-2025-53727 - Microsoft SQL Server Elevation of Privilege Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update.

• SQL Server - Product version: 15.0.2140.1, file version: 2019.150.2140.1

Improvements and fixes included in this update

• Bug reference: 4420098
  Description: Fixes a SQL injection vulnerability in a system stored procedure.
  Fix area: SQL Server Engine
  Component: High Availability and Disaster Recovery
  Platform: All
• Bug reference: 4429473
  Description: Prevents logins with the ALTER ANY LOGIN permission from resetting the passwords of logins that have ALTER ANY LOGIN or IMPERSONATE ANY LOGIN permissions to avoid elevation of privilege.
  Fix area: SQL Server Engine
  Component: Security Infrastructure
  Platform: All
• Bug reference: 4435168
  Description: Prevents elevation of privilege by running SQL Agent job steps for built-in jobs with reduced permissions.
  Fix area: SQL Server Engine
  Component: SQL Agent
  Platform: All
• Bug reference: 4286169
  Description: Fixes a vulnerability that lets users who have access to certain stored procedures perform SQL injection and run arbitrary code by using elevated privileges.
  Fix area: SQL Server Engine
  Component: SQL Server Engine
  Platform: All