Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
**According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability? ** Successful exploitation of this vulnerability requires an attacker to already have a high level of access, specifically a System Administrator role in Microsoft Dynamics 365 CRM. As a result, this issue cannot be exploited by an unauthenticated or low-privilege user and would only be relevant to users who already have elevated permissions. How could an attacker exploit this vulnerability? An attacker with System Administrator privileges could modify specific data associated with background operations through the CRM web interface. When the system later processes this data, it may be deserialized without proper validation, allowing the attacker to trigger unauthorized commands on the CRM server. According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content.
<a href="https://twitter.com/hoangnx99">nxhoang99</a> and <a href="hoang.ha.handle@gmail.com">hoangha<a/> with <a href="https://lab.viettelcybersecurity.com/">VCSLab of Viettel Cyber Security</a>, <a href="https://www.linkedin.com/in/talha--gunay/">TALHA GÜNAY</a>, f7d8c52bec79e42795cf15888b85cbad, <a href="https://twitter.com/hoangnx99">nxhoang99</a> and <a href="hoang.ha.handle@gmail.com">hoangha<a/> with <a href="https://lab.viettelcybersecurity.com/">VCSLab of Viettel Cyber Security</a>, Kentaro Kawane with <a href="https://gmo-cybersecurity.com/">GMO Cybersecurity by Ierae, Inc.</a>