Skip to main content

Microsoft Dynamics 365 EUVDEUVD-2026-35532

| CVE-2026-40371 HIGH
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
2026-06-09 secure@microsoft.com GHSA-q5cq-75qj-crvp
8.8
CVSS 3.1 · NVD
Temporal: 7.7
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.7 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:33 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 8.8

DescriptionCVE.org

Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Dynamics 365 (on-premises) allows a remote authenticated attacker with low-level access to gain elevated privileges across the network due to improper handling of insufficient permissions. With a CVSS score of 8.8 and full impact on confidentiality, integrity, and availability, this issue is significant for organizations running on-premises Dynamics 365 deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Dynamics 365 credentials
Delivery
Authenticate to on-premises application over network
Exploit
Invoke operation with missing permission check
Execution
Escalate to higher-privileged role
Impact
Access or modify sensitive CRM data

Vulnerability AssessmentAI

Exploitation The attacker must hold valid low-privilege credentials (CVSS PR:L) to an on-premises Microsoft Dynamics 365 deployment and have network reachability to its application endpoints; no user interaction is required (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with high impact across the CIA triad - a strong signal for prioritization in environments where Dynamics 365 holds business-critical CRM/ERP data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege Dynamics 365 credentials - for example via phishing of a sales or support user - authenticates to the on-premises Dynamics 365 web application over the network and invokes an operation that fails to properly verify their permission level. By chaining the missing check, they elevate their effective role to one with administrative rights over CRM data and configuration, enabling exfiltration of customer records, manipulation of business data, or pivoting deeper into the Windows/SQL backend. …
Remediation Apply the security update published by Microsoft via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40371 as the primary remediation; exact fix build numbers are not included in the supplied data and should be retrieved from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all on-premises Dynamics 365 deployments and their network locations; implement emergency network segmentation to restrict administrative access and enable monitoring for privilege escalation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35532 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy