CVE-2026-48561

Microsoft · 365 Copilot for Android

Microsoft 365 Copilot for Android and iOS is susceptible to a command injection vulnerability that allows unauthorized attackers to execute code over a network.

Executive summary

A critical command injection vulnerability in Microsoft 365 Copilot for Android and iOS allows remote attackers to execute arbitrary code on the affected devices.

Vulnerability

This vulnerability is a Command Injection (CWE-77) flaw. Improper neutralization of special elements in commands allows an unauthorized attacker to inject and execute arbitrary code on the target device via network communication.

Business impact

The ability for an unauthorized attacker to execute arbitrary code on mobile devices running Microsoft 365 Copilot creates a severe risk of device compromise, data theft, and unauthorized access to corporate resources. With a CVSS score of 9.6, this vulnerability represents a critical threat to the mobile device management strategy and overall organizational data security.

Remediation

Immediate Action: Update Microsoft 365 Copilot for Android and iOS to the latest available version provided by the respective app stores.

Proactive Monitoring: Review mobile device management (MDM) logs for unusual application behavior or unauthorized network connections originating from the Copilot application.

Compensating Controls: Restrict the use of the affected application on corporate-managed devices until the latest security updates have been verified and applied.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the critical nature of command injection vulnerabilities, it is imperative to update the Microsoft 365 Copilot application across all mobile endpoints immediately. Security teams should ensure that all users have installed the latest version to mitigate the risk of remote code execution.