Description
Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; this is then processed by the SQL Server Reporting Service. An account with the privilege Add Reporting Services Reports can upload a malicious rdl file. If the malicious rdl file is already loaded and it is executable by the user, the Add Reporting Services Reports privilege is not required. A malicious actor can trigger the generation of the report, causing the execution of arbitrary SQL commands in the underlying database. Depending on the permissions of the account running SQL Server Reporting Services, the attacker may be able to perform additional actions, such as accessing linked servers or executing operating system commands.
Published: 2026-03-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Assess Impact
AI Analysis

Impact

Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (9.0.2.3034) allows an attacker to upload a malicious RDL (Report Definition Language) file that contains raw SQL queries. When the Reporting Service processes the uploaded file, it executes the embedded SQL under the permissions of the SQL Server Reporting Services account. The vulnerability is a classic SQL Injection flaw (CWE‑89) and can lead to arbitrary data manipulation, untrusted data exposure, and, depending on the Reporting Services account rights, execution of linked server commands or even operating system commands. The impact is therefore high: confidentiality, integrity, and potential availability of the underlying database and, if broader privileges exist, the host server.

Affected Systems

Affected product: Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034). The risk lies in the Reporting Services component that processes uploaded RDL files. No additional affected product versions are listed.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity vulnerability. The EPSS score is less than 1%, suggesting a low current exploit likelihood, and the issue is not listed in CISA’s KEV catalog. The attack requires the ability to upload or execute an RDL file with the Add Reporting Services Reports privilege, or if the file is already loaded and executable, privilege escalation is not mandatory. These conditions imply that the exploit vector is most likely remote via the web interface that manages reports, but it could also be local if an attacker gains file upload access. The actual exploitation path is clearly stated in the vendor description; no additional inference is needed beyond the stated conditions.

Generated by OpenCVE AI on March 19, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the Add Reporting Services Reports privilege to trusted users only.
  • Validate or quarantine uploaded RDL files and prevent execution of unchecked SQL queries.
  • Apply any available Microsoft patch or upgrade to Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 that addresses the issue; check the vendor’s support site for updates.
  • If the reporting feature is not required, consider disabling RDL upload functionality or restricting it to minimal permissions.
  • Configure SQL Server Reporting Services to run with least privilege and limit access to linked servers and operating system commands.

Generated by OpenCVE AI on March 19, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Microsoft Dynamics 365 Customer Engagement on‑premises Remote SQL Injection via Malicious RDL File

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft dynamics 365 Customer Service
Vendors & Products Microsoft
Microsoft dynamics 365 Customer Service

Wed, 18 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; this is then processed by the SQL Server Reporting Service. An account with the privilege Add Reporting Services Reports can upload a malicious rdl file. If the malicious rdl file is already loaded and it is executable by the user, the Add Reporting Services Reports privilege is not required. A malicious actor can trigger the generation of the report, causing the execution of arbitrary SQL commands in the underlying database. Depending on the permissions of the account running SQL Server Reporting Services, the attacker may be able to perform additional actions, such as accessing linked servers or executing operating system commands.
References

Subscriptions

Microsoft Dynamics 365 Customer Service
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-19T14:42:28.552Z

Reserved: 2025-08-25T00:00:00.000Z

Link: CVE-2025-58112

cve-icon Vulnrichment

Updated: 2026-03-19T14:42:18.634Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T19:16:03.497

Modified: 2026-03-19T15:16:20.657

Link: CVE-2025-58112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:56Z

Weaknesses