CVE-2021-34474: Dynamics Business Central Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8)

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Jul

Released

2021-07-13

EPSS Score

0.89% (percentile: 75.5%)

FAQ

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). Can the exploit move from Dynamics Business Central to the underlying operating system? An attacker who successfully exploited this vulnerability could use it to pivot from the machine to the rest of the network.

Affected Products (3)

Microsoft Dynamics

• Microsoft Dynamics 365 Business Central 2020 Release Wave 1 - Update 16.14
• Microsoft Dynamics 365 Business Central 2020 Release Wave 2 - Update 17.8
• Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.3

Security Updates (3)

• 5004717
• 5004716
• 5004715

Revision History

• 2021-07-13: Information published.