CVE-2022-21957: Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

Overview

Severity: High (CVSS 7.2)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category: Remote Code Execution
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2022-Feb
Released: 2022-02-08
Last Updated: 2022-03-23
EPSS Score: 6.15% (percentile: 90.8%)

FAQ

Are the updates for the Microsoft Dynamics 365 (on-premises) versions listed in this vulnerability currently available? The security update for Microsoft Dynamics 365 (on-premises) version 9.0 and Microsoft Dynamics 365 (on-premises) version 9.1 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.

Affected Products (2)

Microsoft Dynamics

Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft Dynamics 365 (on-premises) version 9.1

Security Updates (2)

Acknowledgments

<a href="https://www.linkedin.com/in/fabian-schmidt-42-/">Fabian Schmidt</a>

Revision History

2022-02-08: Information published.
2022-03-08: Added FAQ to explain that the security updates for Microsoft Dynamics 365 (on-premises) version 8.2 and Microsoft Dynamics 365 (on-premises) version 9.1 are not immediately available, and that customers will be notified via a revision to the CVE when the updates are available.
2022-03-23: The following revisions have been made to the Security Updates table: 1) Microsoft is announcing the availability of the security updates for Microsoft Dynamics 365 (on-premises) version 9.0 and Microsoft Dynamics 365 (on-premises) version 9.1. Customers running these versions of Microsoft Dynamics 365 (on-premises) should install the update for their product to be protected from this vulnerability. See the Security Updates table for Download and Article links. 2) Removed Microsoft Dynamics 365 (on-premises) version 8.2 as it is not affected by this vulnerability.