Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Exposure of private personal information to an unauthorized actor in Dynamics 365 FastTrack Implementation Assets allows an unauthorized attacker to disclose information over a network.
AnalysisAI
CVE-2025-49715 is a private personal information disclosure vulnerability in Microsoft Dynamics 365 FastTrack Implementation Assets that allows unauthenticated network-based attackers to access sensitive user data without any user interaction. The vulnerability has a CVSS score of 7.5 (High) with confirmed high confidentiality impact, and affects organizations using Dynamics 365 FastTrack resources. Given the network-accessible nature and lack of authentication requirements, this poses significant risk to enterprise customer data security.
Technical ContextAI
This vulnerability exists in Dynamics 365 FastTrack Implementation Assets, which are cloud-based resources supporting enterprise Microsoft Dynamics 365 deployments. The underlying issue is classified as CWE-359 (Privacy Violation), indicating improper access control over personally identifiable information (PII). The vulnerability stems from inadequate authorization checks that fail to prevent unauthorized disclosure of private data over network channels. FastTrack assets typically include implementation guides, templates, and configuration resources that may inadvertently contain or provide pathways to customer PII stored within linked Dynamics 365 environments. The attack vector is Network (AV:N) with Low Attack Complexity (AC:L), meaning no special network proximity is required and exploitation does not depend on target configuration nuances.
RemediationAI
Immediate actions: (1) Contact Microsoft Security Response Center (MSRC) or check the Microsoft Security Update Guide for CVE-2025-49715 to obtain specific patch versions and deployment timelines. (2) Audit all FastTrack Implementation Assets in use to identify what PII may have been accessible. (3) Review access logs to determine if unauthorized access occurred. (4) Until patched, implement network-level access controls to restrict FastTrack resource endpoints to authorized users only. (5) Temporarily restrict or remove sensitive PII from FastTrack repositories pending patch deployment. (6) Follow Microsoft's official remediation guidance available through their security advisories portal. (7) Establish a timeline to deploy security updates immediately upon release; do not delay given network accessibility and lack of exploitation barriers.
More in Dynamics 365
View allWeak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network. R
Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabi
Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabi
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabili
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerabili
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability. Rated high severity
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability. Rated high severity
An elevation of privilege vulnerability exists in Dynamics On-Premise v9. Rated high severity (CVSS 8.8), this vulnerabi
A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to
Dynamics CRM Webclient Cross-site Scripting Vulnerability. Rated high severity (CVSS 8.7), this vulnerability is remotel
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability. Rated high severity (CVSS 8.2), this vulnerabil
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability. Rated high severity (CVSS 8.2), this vulnerabil
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-21174