EUVD-2025-208846Lifecycle Timeline
3Description
Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; this is then processed by the SQL Server Reporting Service. An account with the privilege Add Reporting Services Reports can upload a malicious rdl file. If the malicious rdl file is already loaded and it is executable by the user, the Add Reporting Services Reports privilege is not required. A malicious actor can trigger the generation of the report, causing the execution of arbitrary SQL commands in the underlying database. Depending on the permissions of the account running SQL Server Reporting Services, the attacker may be able to perform additional actions, such as accessing linked servers or executing operating system commands.
Analysis
This vulnerability enables arbitrary SQL command execution in Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 through malicious Report Definition Language (RDL) files uploaded to SQL Server Reporting Services. An attacker with the 'Add Reporting Services Reports' privilege can upload a crafted RDL file containing raw SQL queries; if the file is already loaded and executable by the user, this privilege is not required. Upon report generation, arbitrary SQL commands execute in the underlying database, potentially allowing data exfiltration, linked server access, or operating system command execution depending on SQL Server service account permissions. A proof-of-concept has been documented in public repositories, indicating active research and potential exploitation risk.
Technical Context
The vulnerability resides in the Report Definition Language processing pipeline within SQL Server Reporting Services (SSRS) integrated with Microsoft Dynamics 365 Customer Engagement. RDL is an XML-based specification for defining reports; SSRS compiles and executes these definitions server-side. The vulnerability exploits insufficient input validation and sanitization in the RDL parser, which fails to restrict raw SQL query execution when RDL files are uploaded and rendered. This is fundamentally a CWE-89 (SQL Injection) issue, compounded by CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-94 (Improper Control of Generation of Code). The affected product, Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (build 9.0.2.3034), couples SSRS with Dynamics' multi-tenant data model, creating a high-impact vector if an account with report management privileges is compromised or misconfigured.
Affected Products
Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (build 9.0.2.3034) is affected. While specific CPE data is not fully enumerated in the provided intelligence (CPE listed as 'n/a'), the vulnerability is confirmed in this version through reporting by MITRE and cross-referenced technical documentation. The vulnerability specifically impacts the integrated SQL Server Reporting Services component within this Dynamics release. Organizations running earlier or later versions of on-premises Dynamics 365 should verify patch status, as the scope may extend beyond the confirmed 1612 build. Reference the Microsoft Dynamics 365 Customer Engagement security advisory at https://microsoft.com for version-specific guidance.
Remediation
Immediately upgrade Microsoft Dynamics 365 Customer Engagement (on-premises) to a patched version beyond 1612 (9.0.2.3034); consult the Microsoft security advisory at https://microsoft.com for the minimum supported patch level. Until patching is feasible, implement the following compensating controls: (1) Restrict the 'Add Reporting Services Reports' privilege to only trusted administrative accounts with multi-factor authentication; (2) Audit and remove any existing RDL files not created by verified internal processes; (3) Enable SQL Server Reporting Services audit logging and monitor for unusual report execution patterns or queries; (4) Apply principle of least privilege to the SQL Server service account running SSRS—remove xp_cmdshell and cross-database ownership chaining permissions if not explicitly required; (5) Segment network access to SSRS endpoints using firewall rules limiting connections to known trusted hosts. For organizations unable to patch immediately, consider air-gapping or decommissioning the affected Dynamics 1612 instance and migrating to a supported cloud or on-premises version.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today