Impact
The vulnerability is a command‑injection flaw caused by improper neutralization of special elements used in a command in M365 Copilot, allowing an unauthorized attacker to disclose information over a network. The issue is identified as CWE‑77.
Affected Systems
Microsoft 365 Copilot is the affected product. Because no specific version ranges are provided, all instances of this product are potentially vulnerable.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. An EPSS score of 8% shows a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalogue, suggesting no publicly known exploits have been documented. The likely attack vector an attacker must be able to reach the Copilot interface to supply the malicious input. Because the vulnerability is a command‑injection flaw (CWE‑77), the attacker can cause the service to disclose information over the network.
OpenCVE Enrichment