CVE-2024-35249 - Vulnerability Details - OpenCVE

Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.22089.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Microsoft Subscribe	Dynamics 365 Business Central Subscribe Dynamics 365 Business Central 2023 Subscribe Dynamics 365 Business Central 2024 Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:dynamics_365_business_central:2023:release_wave_1::::::
	cpe:2.3:a:microsoft:dynamics_365_business_central:2023:release_wave_2::::::
	cpe:2.3:a:microsoft:dynamics_365_business_central:2024:release_wave_1::::::

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35249

History

Wed, 17 Dec 2025 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft dynamics 365 Business Central 2023 Microsoft dynamics 365 Business Central 2024
CPEs		cpe:2.3:a:microsoft:dynamics_365_business_central_2023::release_wave_1::::::* cpe:2.3:a:microsoft:dynamics_365_business_central_2023::release_wave_2::::::* cpe:2.3:a:microsoft:dynamics_365_business_central_2024::release_wave_1::::::*
Vendors & Products		Microsoft dynamics 365 Business Central 2023 Microsoft dynamics 365 Business Central 2024

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2024-06-11T17:00:06.410Z

Updated: 2025-12-17T22:23:43.384Z

Reserved: 2024-05-14T20:14:47.410Z

Link: CVE-2024-35249

Vulnrichment

Updated: 2024-08-02T03:07:46.945Z

NVD

Status : Modified

Published: 2024-06-11T17:16:02.417

Modified: 2024-11-21T09:20:01.130

Link: CVE-2024-35249

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-35249", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2024-05-14T20:14:47.410Z", "datePublished": "2024-06-11T17:00:06.410Z", "dateUpdated": "2025-12-17T22:23:43.384Z"}, "containers": {"cna": {"title": "Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability", "datePublic": "2024-06-11T07:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central_2024:*:release_wave_1:*:*:*:*:*:*", "versionStartIncluding": "24.0", "versionEndExcluding": "Application Build 24.1.19498, Platform Build 24.0."}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central_2023:*:release_wave_1:*:*:*:*:*:*", "versionStartIncluding": "22.0.0", "versionEndExcluding": "Application Build 22.13.64344, Platform Build 22.0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central_2023:*:release_wave_2:*:*:*:*:*:*", "versionStartIncluding": "23.0.0", "versionEndExcluding": "Application Build 23.7.18957, Platform Build 23.0."}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Dynamics 365 Business Central 2024 Release Wave 1", "platforms": ["Unknown"], "versions": [{"version": "24.0", "lessThan": "Application Build 24.1.19498, Platform Build 24.0.", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Dynamics 365 Business Central 2023 Release Wave 1", "platforms": ["Unknown"], "versions": [{"version": "22.0.0", "lessThan": "Application Build 22.13.64344, Platform Build 22.0", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Dynamics 365 Business Central 2023 Release Wave 2", "platforms": ["Unknown"], "versions": [{"version": "23.0.0", "lessThan": "Application Build 23.7.18957, Platform Build 23.0.", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-502: Deserialization of Untrusted Data", "lang": "en-US", "type": "CWE", "cweId": "CWE-502"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-12-17T22:23:43.384Z"}, "references": [{"name": "Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35249"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-13T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-35249"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-14T03:55:48.237Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.945Z"}, "title": "CVE Program Container", "references": [{"name": "Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35249"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35249", "name": "Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.945Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35249", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-11T20:47:06.458742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T20:47:23.231Z"}}], "cna": {"title": "Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Dynamics 365 Business Central 2024 Release Wave 1", "versions": [{"status": "affected", "version": "24.0", "lessThan": "Application Build 24.1.19498, Platform Build 24.0.", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Microsoft Dynamics 365 Business Central 2023 Release Wave 1", "versions": [{"status": "affected", "version": "22.0.0", "lessThan": "Application Build 22.13.64344, Platform Build 22.0", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Microsoft Dynamics 365 Business Central 2023 Release Wave 2", "versions": [{"status": "affected", "version": "23.0.0", "lessThan": "Application Build 23.7.18957, Platform Build 23.0.", "versionType": "custom"}], "platforms": ["Unknown"]}], "datePublic": "2024-06-11T07:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35249", "name": "Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central_2024:*:release_wave_1:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "Application Build 24.1.19498, Platform Build 24.0.", "versionStartIncluding": "24.0"}, {"criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central_2023:*:release_wave_1:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "Application Build 22.13.64344, Platform Build 22.0", "versionStartIncluding": "22.0.0"}, {"criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central_2023:*:release_wave_2:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "Application Build 23.7.18957, Platform Build 23.0.", "versionStartIncluding": "23.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-12-17T22:23:43.384Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35249", "state": "PUBLISHED", "dateUpdated": "2025-12-17T22:23:43.384Z", "dateReserved": "2024-05-14T20:14:47.410Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2024-06-11T17:00:06.410Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}