Fabiano Amorim

Join this session to explore key advancements in SQL Server 2022 and a preview of 2025, including Contained AGs, Distributed AG enhancements, and PSP Optimization—plus practical strategies to boost reliability, performance, and readiness for the future!

It began as a small security research project on a local SQL Server, one vulnerability quickly led much further. That initial finding enabled privilege escalation across multiple managed platforms, including Azure SQL Database, GCP CloudSQL for SQL Server, Amazon RDS, and Alibaba ApsaraDB. In this presentation, I'll demonstrate how an attacker can escalate from a low-privileged user to sysadmin in cloud-managed SQL Server environments. I'll also explain why these flaws existed, how to defend against similar attack paths, and how each cloud provider responded.

SQL Server environments are often assumed to be secure by default. This session challenges that belief by demonstrating how a low-privileged login can be leveraged to compromise an entire MSSQL environment. Using real-world scenarios, I’ll show how design flaws and overlooked features enable privilege escalation, data exposure, and full administrative control and how to prevent it.