Description
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The updated description indicates that an authorized attacker can exploit improper code generation, allowing execution of arbitrary code over the network in Microsoft Dynamics 365 (on-premises). This flaw constitutes a remote code execution vulnerability, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

Microsoft Dynamics 365 (on-premises) version 9.1 is affected.

Risk and Exploitability

The CVSS score of 9.1 classifies this as a critical severity vulnerability. The EPSS score of 0.00097 indicates a very low but non‑zero probability of exploitation, and the issue is not listed in CISA KEV, so there is no published exploit evidence yet. An attacker must already possess authorized credentials to exploit the flaw, indicating that privileged users or compromised accounts could gain full control of the application server. The attack vector is network‑based, meaning the vulnerability can be triggered from within the corporate network or over a remote connection if the attacker obtains suitable credentials.

Generated by OpenCVE AI on June 1, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Microsoft Dynamics 365 on‑premises that contains the fix for the code injection flaw.
  • Restrict the rights of the Dynamics 365 service account and any administrative accounts to the minimum privileges required for operation, following the principle of least privilege.
  • Segment the network so that only trusted hosts and segments can reach the Dynamics 365 servers, limiting exposure to attackers with lateral movement capability.

Generated by OpenCVE AI on June 1, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Title Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft dynamics 365
Weaknesses CWE-250
CPEs cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*
Vendors & Products Microsoft
Microsoft dynamics 365
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Dynamics 365
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-02T23:17:23.693Z

Reserved: 2026-04-30T14:51:12.703Z

Link: CVE-2026-42833

cve-icon Vulnrichment

Updated: 2026-05-13T10:19:29.260Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T18:17:25.933

Modified: 2026-06-01T19:16:44.793

Link: CVE-2026-42833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:30:26Z

Weaknesses