CVE-2025-59250: JDBC Driver for SQL Server Spoofing Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Oct

Released

2025-10-14

EPSS Score

0.08% (percentile: 23.0%)

Description

Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

FAQ

How could an attacker exploit this vulnerability? An attacker could exploit the vulnerability by tricking a victim into connecting to a malicious server using techniques like DNS poisoning or phishing. Once connected, the attacker presents a legitimate TLS certificate with a spoofed Common Name (CN) in the Organizational Unit (OU) field. The JDBC driver mistakenly trusts this certificate, allowing the attacker to intercept SQL credentials and perform a machine-in-the-middle attack on encrypted database traffic.

Affected Products (8)

SQL Server

• Microsoft JDBC Driver 12.4 for SQL Server
• Microsoft JDBC Driver 12.2 for SQL Server
• Microsoft JDBC Driver 12.8 for SQL Server
• Microsoft JDBC Driver 10.2 for SQL Server
• Microsoft JDBC Driver 11.2 for SQL Server
• Microsoft JDBC Driver 12.6 for SQL Server
• Microsoft JDBC Driver 13.2 for SQL Server
• Microsoft JDBC Driver 12.10 for SQL Server

Security Updates (8)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/nikita-markevich/">Nikita Markevich</a>

Revision History

• 2025-10-14: Information published.