CVE-2022-23259: Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Apr

Released

2022-04-12

EPSS Score

7.37% (percentile: 91.7%)

FAQ

How could an attacker exploit this vulnerability? An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics CRM database.

Affected Products (2)

Microsoft Dynamics

• Microsoft Dynamics 365 (on-premises) version 9.0
• Microsoft Dynamics 365 (on-premises) version 9.1

Security Updates (2)

• 5012732
• 5012731

Acknowledgments

<a href="https://www.linkedin.com/in/fabian-schmidt-42-/">Fabian Schmidt</a>

Revision History

• 2022-04-12: Information published.