Skip to main content

Dynamics NAV EUVDEUVD-2026-44229

| CVE-2026-55944 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-07-14 microsoft GHSA-rvmx-r962-429w
9.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable deserialization needing no user interaction gives AV:N/AC:L/PR:N/UI:N, and code execution yields full C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 19:13 vuln.today
CVE Published
Jul 14, 2026 - 17:09 nvd
CRITICAL 9.8

DescriptionCVE.org

Deserialization of untrusted data in Microsoft Dynamics NAV allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable NAV service endpoint
Delivery
Send crafted serialized payload
Exploit
Trigger unsafe deserialization (CWE-502)
Execution
Execute gadget chain as service account
Impact
Full RCE and host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to a Microsoft Dynamics NAV 2018 endpoint that accepts and deserializes serialized data (the NAV Server service tier and its web/SOAP/OData services). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Dynamics NAV 2018 service endpoint sends a crafted serialized object payload to a network-facing NAV service; the server deserializes it without validation, triggering a gadget chain that executes attacker code in the context of the NAV service account. No credentials or user interaction are needed (PR:N/UI:N), so a single unauthenticated request against an exposed instance can yield full host compromise. …
Remediation Patch available per vendor advisory - apply the Microsoft-supplied update for Dynamics NAV 2018 referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55944, which lists the exact fixed cumulative update to install (no exact fix build was provided in this input, so verify the target version directly in the MSRC guide). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Microsoft Dynamics NAV 2018 instances and apply the vendor patch released by Microsoft Security Response Center (MSRC); if patching cannot complete immediately, isolate affected systems from untrusted networks and implement network-level access controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy