Microsoft 365 Copilot
Monthly
Command injection in Microsoft 365 Copilot enables unauthenticated remote attackers to exfiltrate sensitive information when a user interacts with a crafted payload. The vulnerability (CWE-77) arises from improper neutralization of special command elements processed by the Copilot service, resulting in high confidentiality impact with no integrity or availability loss. No public exploit has been identified at time of analysis, and Microsoft has issued an official patch, but the potential for targeted information disclosure attacks against enterprise environments warrants prompt remediation.
Command injection in Microsoft 365 Copilot exposes sensitive information to unauthenticated remote attackers when a victim user interacts with attacker-controlled content, resulting in High confidentiality impact with no integrity or availability effect. The vulnerability carries a CVSS 6.5 (Medium) score, reflecting network accessibility and low attack complexity offset by a mandatory user interaction requirement. No public exploit code exists at time of analysis, and Microsoft has released an official patch documented via the Microsoft Security Response Center.
Command injection in Microsoft 365 Copilot enables unauthenticated remote attackers to exfiltrate sensitive information when a user interacts with a crafted payload. The vulnerability (CWE-77) arises from improper neutralization of special command elements processed by the Copilot service, resulting in high confidentiality impact with no integrity or availability loss. No public exploit has been identified at time of analysis, and Microsoft has issued an official patch, but the potential for targeted information disclosure attacks against enterprise environments warrants prompt remediation.
Command injection in Microsoft 365 Copilot exposes sensitive information to unauthenticated remote attackers when a victim user interacts with attacker-controlled content, resulting in High confidentiality impact with no integrity or availability effect. The vulnerability carries a CVSS 6.5 (Medium) score, reflecting network accessibility and low attack complexity offset by a mandatory user interaction requirement. No public exploit code exists at time of analysis, and Microsoft has released an official patch documented via the Microsoft Security Response Center.