Andreas Wolter • 9/9/2025

Bug in Auditing allows for undetected Data Exfiltration by low privileged user

The article details a critical security vulnerability in Microsoft SQL Server's SENSITIVE_BATCH_COMPLETED audit action group. A low-privileged user with SELECT permissions can use commands like SELECT INTO or DBCC CLONEDATABASE to exfiltrate sensitive data without generating audit logs, bypassing detection. The author provides reproduction steps, discusses Microsoft's low-priority assessment, and offers temporary mitigation strategies until a fix is released.

0 comments

#SQL Server #Security Vulnerability #Data Exfiltration