Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable Dynamics 365 endpoint, low complexity, requires any authenticated low-priv user (PR:L), no UI; scope changes across authorization boundary with full CIA impact post-escalation.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation in Microsoft Dynamics 365 allows authenticated low-privileged users to gain elevated rights across a network due to improper access control enforcement. The flaw carries a critical CVSS 9.9 score with scope change, indicating impact beyond the vulnerable component, and Microsoft has issued a patch via MSRC. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold valid low-privileged authenticated access (PR:L) to a Microsoft Dynamics 365 instance - any legitimate user role suffices, but at least one set of working credentials or an OAuth token is required, meaning fully unauthenticated internet attackers cannot exploit this. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward high priority: CVSS 9.9 with AV:N/AC:L/PR:L/UI:N/S:C and high CIA impact indicates trivial network exploitation by any authenticated user with broad blast radius, and Microsoft is the reporter which lends high source confidence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains low-privileged credentials to a Dynamics 365 tenant - for example via phishing a sales rep or compromising a contractor account - then issues a crafted API or web request that bypasses authorization checks and grants administrative or cross-org privileges. With elevated rights, the attacker exports customer PII, modifies financial records, or pivots to other Entra-protected resources made reachable by the scope-change impact. |
| Remediation | Apply the Microsoft-released patch as documented in MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47647; for Dynamics 365 Online tenants Microsoft typically rolls out fixes through the service automatically, but administrators should verify their tenant build and any required customer-side action in the Power Platform admin center. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Dynamics 365 deployments and identify users with low-privilege accounts; implement access logging and alerts for privilege escalation attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37947
GHSA-vq29-76j3-6vh5