Skip to main content

Dynamics 365 EUVDEUVD-2025-21174

| CVE-2025-49715 HIGH
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
2025-06-20 secure@microsoft.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-21174
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
CVE Published
Jun 20, 2025 - 01:15 nvd
HIGH 7.5

DescriptionCVE.org

Exposure of private personal information to an unauthorized actor in Dynamics 365 FastTrack Implementation Assets allows an unauthorized attacker to disclose information over a network.

AnalysisAI

CVE-2025-49715 is a private personal information disclosure vulnerability in Microsoft Dynamics 365 FastTrack Implementation Assets that allows unauthenticated network-based attackers to access sensitive user data without any user interaction. The vulnerability has a CVSS score of 7.5 (High) with confirmed high confidentiality impact, and affects organizations using Dynamics 365 FastTrack resources. Given the network-accessible nature and lack of authentication requirements, this poses significant risk to enterprise customer data security.

Technical ContextAI

This vulnerability exists in Dynamics 365 FastTrack Implementation Assets, which are cloud-based resources supporting enterprise Microsoft Dynamics 365 deployments. The underlying issue is classified as CWE-359 (Privacy Violation), indicating improper access control over personally identifiable information (PII). The vulnerability stems from inadequate authorization checks that fail to prevent unauthorized disclosure of private data over network channels. FastTrack assets typically include implementation guides, templates, and configuration resources that may inadvertently contain or provide pathways to customer PII stored within linked Dynamics 365 environments. The attack vector is Network (AV:N) with Low Attack Complexity (AC:L), meaning no special network proximity is required and exploitation does not depend on target configuration nuances.

RemediationAI

Immediate actions: (1) Contact Microsoft Security Response Center (MSRC) or check the Microsoft Security Update Guide for CVE-2025-49715 to obtain specific patch versions and deployment timelines. (2) Audit all FastTrack Implementation Assets in use to identify what PII may have been accessible. (3) Review access logs to determine if unauthorized access occurred. (4) Until patched, implement network-level access controls to restrict FastTrack resource endpoints to authorized users only. (5) Temporarily restrict or remove sensitive PII from FastTrack repositories pending patch deployment. (6) Follow Microsoft's official remediation guidance available through their security advisories portal. (7) Establish a timeline to deploy security updates immediately upon release; do not delay given network accessibility and lack of exploitation barriers.

CVE-2024-38182 CRITICAL
9.8 Jul 31

Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network. R

CVE-2022-35805 HIGH
8.8 Sep 13

Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabi

CVE-2022-34700 HIGH
8.8 Sep 13

Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabi

CVE-2022-23259 HIGH
8.8 Apr 15

Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabili

CVE-2021-42316 HIGH
8.8 Nov 10

Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabili

CVE-2020-17158 HIGH
8.8 Dec 10

Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability. Rated high severity

CVE-2020-17152 HIGH
8.8 Dec 10

Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability. Rated high severity

CVE-2019-1229 HIGH
8.8 Aug 14

An elevation of privilege vulnerability exists in Dynamics On-Premise v9. Rated high severity (CVSS 8.8), this vulnerabi

CVE-2018-8609 HIGH
8.8 Nov 14

A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to

CVE-2020-17147 HIGH
8.7 Dec 10

Dynamics CRM Webclient Cross-site Scripting Vulnerability. Rated high severity (CVSS 8.7), this vulnerability is remotel

CVE-2024-38211 HIGH
8.2 Aug 13

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability. Rated high severity (CVSS 8.2), this vulnerabil

CVE-2024-21395 HIGH
8.2 Feb 13

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability. Rated high severity (CVSS 8.2), this vulnerabil

Share

EUVD-2025-21174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy