Description
Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises), enabling an attacker with authorized access to run arbitrary code over a network. This flaw directly leads to a remote code execution impact, compromising both confidentiality and integrity of the system.

Affected Systems

Microsoft Dynamics 365 (on-premises) version 9.1 is affected.

Risk and Exploitability

The CVSS score of 9.1 classifies this as a critical severity vulnerability. The EPSS score of 0.00071 indicates a very low but non‑zero probability of exploitation, and the issue is not listed in CISA KEV, so there is no published exploit evidence yet. An attacker must already possess authorized credentials to exploit the flaw, indicating that privileged users or compromised accounts could gain full control of the application server. The attack vector is network‑based, meaning the vulnerability can be triggered from within the corporate network or over a remote connection if the attacker obtains suitable credentials.

Generated by OpenCVE AI on May 14, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Microsoft Dynamics 365 on‑premises that contains the fix for the privilege escalation flaw.
  • Restrict the rights of the Dynamics 365 service account and any administrative accounts to the minimum privileges required for operation, following the principle of least privilege.
  • Segment the network so that only trusted hosts and segments can reach the Dynamics 365 servers, limiting exposure to attackers with lateral movement capability.

Generated by OpenCVE AI on May 14, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Title Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft dynamics 365
Weaknesses CWE-250
CPEs cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*
Vendors & Products Microsoft
Microsoft dynamics 365
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Dynamics 365
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-14T18:08:58.030Z

Reserved: 2026-04-30T14:51:12.703Z

Link: CVE-2026-42833

cve-icon Vulnrichment

Updated: 2026-05-13T10:19:29.260Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:25.933

Modified: 2026-05-14T14:26:21.660

Link: CVE-2026-42833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:00:15Z

Weaknesses