CVE-2025-29821: Microsoft Dynamics Business Central Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 5.5)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Apr

Released

2025-04-08

EPSS Score

0.79% (percentile: 73.9%)

Description

Improper input validation in Dynamics Business Central allows an authorized attacker to disclose information locally.

FAQ

What type of information could be disclosed by this vulnerability? An attacker that successfully exploited this vulnerability could recover cleartext passwords from memory.

Affected Products (4)

Microsoft Dynamics

• Microsoft Dynamics 365 Business Central Wave 1 2024 – Update 24.12
• Microsoft Dynamics 365 Business Central 2023 Wave 2 – Update 23.18
• Microsoft Dynamics 365 Business Central 2024 Wave 2 – Update 25.6
• Microsoft Dynamics 365 Business Central 2025 Wave 1 – Update 26.0

Security Updates (4)

• 5056717
• 5056716
• 5056718
• Release Notes

Acknowledgments

Nicklas Broberg Larsson with Navigot AB

Revision History

• 2025-04-08: Information published.