Microsoft Dynamics 365 suffers an improper access control flaw that permits an authenticated user with limited privileges to gain higher-level permissions across the network, enabling full control of the application and its data. The weakness, identified as CWE-284, allows an attacker to bypass authorization checks and potentially read, modify, or delete sensitive information, compromise system integrity, and disrupt business operations.

The vulnerability affects Microsoft Dynamics 365. No specific version range is provided, so all installations are potentially vulnerable unless otherwise documented by Microsoft.

The CVSS score of 9.9 indicates the flaw is extremely severe. Because the EPSS score is not available, the current publicly known likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network-based, requiring the attacker to be authenticated within the system but with insufficient privileges to perform the privileged actions, then leverage the flaw to elevate access. Once escalated, the attacker can exert full control over the application and its underlying data.