CVE-2025-53728: Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Aug

Released

2025-08-12

EPSS Score

0.10% (percentile: 26.8%)

Description

Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network.

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker, and navigate to a malicious site where malicious code would execute a series of specially crafted queries. What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.

Affected Products (1)

Microsoft Dynamics

• Microsoft Dynamics 365 (on-premises) version 9.1

Security Updates (1)

• 5064483

Acknowledgments

Ha Anh Hoang with <a href="https://viettelcybersecurity.com/">Viettel Cyber Security</a>

Revision History

• 2025-08-12: Information published.