Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable deserialization needing no user interaction gives AV:N/AC:L/PR:N/UI:N, and code execution yields full C:H/I:H/A:H.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of untrusted data in Microsoft Dynamics NAV allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to a Microsoft Dynamics NAV 2018 endpoint that accepts and deserializes serialized data (the NAV Server service tier and its web/SOAP/OData services). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a Dynamics NAV 2018 service endpoint sends a crafted serialized object payload to a network-facing NAV service; the server deserializes it without validation, triggering a gadget chain that executes attacker code in the context of the NAV service account. No credentials or user interaction are needed (PR:N/UI:N), so a single unauthenticated request against an exposed instance can yield full host compromise. … |
| Remediation | Patch available per vendor advisory - apply the Microsoft-supplied update for Dynamics NAV 2018 referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55944, which lists the exact fixed cumulative update to install (no exact fix build was provided in this input, so verify the target version directly in the MSRC guide). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Microsoft Dynamics NAV 2018 instances and apply the vendor patch released by Microsoft Security Response Center (MSRC); if patching cannot complete immediately, isolate affected systems from untrusted networks and implement network-level access controls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44229
GHSA-rvmx-r962-429w