CVE-2021-42316: Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Nov

Released

2021-11-09

Last Updated

2021-11-12

EPSS Score

1.67% (percentile: 82.1%)

FAQ

What privileges could an attacker gain with successful exploitation of this vulnerability? An attacker can write to any file where the webserver user (nt authority\network service) has write access.

Affected Products (2)

Microsoft Dynamics

• Microsoft Dynamics 365 (on-premises) version 9.1
• Microsoft Dynamics 365 (on-premises) version 9.0

Security Updates (2)

• 5008478
• 5008479

Revision History

• 2021-11-09: Information published.
• 2021-11-12: Added an FAQ and updated the CVSS score. This is an informational change only.