KB5068404: This hotfix addresses a SQL injection vulnerability

KB5068404 - Description of the security update for SQL Server 2019 CU32: November 11, 2025

Summary
This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2025-59499 - Microsoft SQL Server Elevation of Privilege Vulnerability​​​​​​​

The Microsoft SQL Server components are updated to the following builds in this security update:

• SQL Server - product version: 15.0.4455.2, file version: 2019.150.4455.2

Improvements and fixes included in this update
A downloadable Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists.

4653533:

• This update resolves an issue in SQL Server Analysis Services in which Row-Level Security (RLS) filters could be skipped when combined with Object-Level Security (OLS) and Column-Level Security (CLS) in certain multi-role configurations. This issue occurs only under rare and contradictory setups (for example, a role that grants table-level read permission while it restricts all columns, combined with other similar restrictive roles). The fix ensures that RLS is consistently applied in all scenarios.

4711185:

• This hotfix addresses a SQL injection vulnerability in an internal backup stored procedure that was inadvertently exposed to all users. The hotfix restricts unauthorized access and mitigates the risk by correctly sanitizing input parameters.