SpecterOps — SQL Server 2025 AI Features Weaponized for Data Exfiltration and C2

AI relevance: Native AI/RAG features in SQL Server 2025 create a new class of in-database exfiltration and C2 primitives that disguise malicious traffic as legitimate AI model telemetry — directly threatening organizations deploying AI pipelines on top of existing database infrastructure.

What happened

• SpecterOps researcher Justin Kalnasy published a detailed proof-of-concept showing how Microsoft SQL Server 2025's new AI-oriented features can be weaponized for data exfiltration and covert command-and-control entirely within the database engine.
• SQL Server 2025 (released November 2025) introduced three native AI features designed for RAG pipelines: sp_invoke_external_rest_endpoint (HTTPS calls to arbitrary endpoints with payloads up to 100 MB), CREATE EXTERNAL MODEL (register external AI embedding models), and AI_GENERATE_EMBEDDINGS (send data to a model endpoint and receive vector arrays).
• The researcher demonstrated three distinct exfiltration methods: dumping credential tables via FOR JSON AUTO payloads, filesystem access via OPENROWSET(BULK ...) for arbitrary file theft, and a persistent database TRIGGER that auto-posts new credentials to an attacker server on each table insert.
• A full T-SQL + .NET CLR C2 implant was constructed that routes beacon traffic through AI_GENERATE_EMBEDDINGS — commands are XOR-encrypted, encoded as synthetic vector arrays mimicking legitimate embedding model traffic, and decoded server-side.
• The implant uses context connection=true to reuse the in-process SQL session, avoiding new network connections from the agent process. The resulting traffic is visually indistinguishable from authentic AI model telemetry to an untrained analyst.
• The CREATE EXTERNAL MODEL feature also supports ONNX models via UNC paths, enabling NTLM SMB authentication coercion for hash capture or relay attacks against domain infrastructure.
• Reported to Microsoft on April 20, 2026. On May 12, 2026, Microsoft determined the behavior did not meet the bar for security servicing — meaning all primitives remain exploitable in current deployments.

Why it matters

• Organizations deploying AI/RAG features on existing SQL Server infrastructure now have a new, stealthy attack surface that blends into normal AI operations — security teams cannot simply flag outbound HTTPS from the database as anomalous when AI features legitimately require it.
• The 100 MB payload ceiling on sp_invoke_external_rest_endpoint allows serialization and exfiltration of entire database tables in a single HTTPS POST — far more efficient than legacy xp_cmdshell or PowerShell-based methods.
• The C2 channel's ability to masquerade as embedding model traffic undermines traditional network monitoring that treats database web traffic as automatically suspicious.
• Microsoft's decision not to patch means this is a design-level risk, not a bug — defenders must implement compensating controls rather than waiting for a vendor fix.

What to do

• Audit all SQL Server database logins and remove unnecessary sysadmin privileges from application service accounts — over-privileged accounts remain the most common initial access vector.
• Configure alerting for CREATE EXTERNAL MODEL statements, sp_invoke_external_rest_endpoint enablement, and CLR assembly deployment using SQL Audit or Extended Events.
• Block internet-bound HTTPS egress from SQL Server hosts at the firewall or proxy level — this stops most exfiltration attempts, especially for organizations hosting AI models internally.
• Baseline legitimate embedding model traffic patterns and train analysts to detect anomalies in AI-normalized egress flows.

Sources

• SpecterOps — Oops, I Weaponized the Database: Abusing AI Features in SQL Server 2025
• CyberSecurityNews — Hackers Can Leverage SQL Server 2025 AI Features to Exfiltrate Sensitive Data
• GBHackers — Hackers Could Abuse SQL Server 2025 AI Features to Steal Sensitive Data