Advisory 93: Microsoft SQL Server Information Disclosure Vulnerability
Release Date: 08th of July 2025
Impact : HIGH / CRITICAL
TLP Rating: Clear 
CERT Vanuatu (CERTVU) and the Department of Communication and Digital Transformation (DCDT) provide the following advisory.
This alert is relevant to Organizations who utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
A Microsoft SQL Server Information Disclosure Vulnerability refers to a security flaw that allows an attacker to gain access to sensitive information from the SQL Server that should normally be protected. These types of vulnerabilities typically occur due to improper handling of memory, logging, or error messages.
What are the Systems affected?
Affected Versions;
All Versions of Microsoft SQL Server
What this means?
An Information Disclosure Vulnerability in Microsoft SQL Server means that:
• The server may unintentionally reveal internal information such as:
- Memory contents (e.g., credentials, tokens)
- System configuration or versioning details
- SQL query structures or database schema
- Error messages containing sensitive data
Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network.
Mitigation process
Administrators should update their relevant version of SQL Server.
See latest updates available for currently supported versions of SQL Server
References
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-49719
- https://www.microsoft.com/en-us/msrc/exploitability-index
- https://learn.microsoft.com/en-us/troubleshoot/sql/releases/download-and-install-latest-updates
- Download advisory (English): Microsoft SQL Server Information Disclosure Vulnerability
- Download advisory (Bislama): Vulnerabiliti long saed blong Microsoft SQL Server Information Disclosure
- Download advisory (French): Vulnérabilité de divulgation d’informations dans Microsoft SQL Server