CVE-2022-35805: Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Sep

Released

2022-09-13

EPSS Score

6.37% (percentile: 91.0%)

FAQ

How could an attacker exploit this vulnerability? An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics CRM database. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? The attacker must be authenticated to be able to exploit this vulnerability.

Affected Products (2)

Microsoft Dynamics

• Microsoft Dynamics CRM (on-premises) 9.0
• Microsoft Dynamics CRM (on-premises) 9.1

Security Updates (1)

• 5017524

Acknowledgments

<a href="https://www.linkedin.com/in/fabian-schmidt-42-/">Fabian Schmidt</a>

Revision History

• 2022-09-13: Information published.