External risk intelligence

Microsoft Dynamics 365 (on-premises) could allow internal attacker to gain control of the server

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-42898

An internal attacker can exploit a flaw in Microsoft Dynamics 365 (on-premises) to run unauthorized code on the server, potentially gaining full administrative control. This could result in the theft of sensitive business data and allow further movement within the company network.

2Halo Surface Signal

Code Injection

Microsoft Dynamics 365

9.1.1.914 to before 9.1.45.11

External exposure likelihood

Halo Surface Signal score for CVE-2026-42898

This vulnerability affects an on-premises enterprise application. Exploitation requires an authenticated internal user with existing credentials. While the application is network-reachable, it is typically deployed behind internal controls or restricted network segments rather than exposed directly to the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An issue in Microsoft Dynamics 365 (on-premises) could allow an authorized attacker to run custom code over the network. This means a malicious actor could potentially take control of the system to further their goals.

  • Affects authorized users.
  • Could lead to unauthorized code execution.
  • Impacts on-premises deployments.

Attack Path

How an attacker could exploit the issue

An authenticated attacker could exploit this flaw in Microsoft Dynamics 365 (on-premises) by submitting specially crafted input to a network-accessible component. This would allow them to execute arbitrary code on the server, potentially leading to further compromise of the system and its data.

  • Requires authenticated access.
  • Targets network-facing code generation.
  • Attack depends on specific input validation flaws.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Microsoft Dynamics 365 (on-premises) presents a concerning threat due to its potential for code injection and execution over a network. While requiring authenticated access, the critical severity and ease of exploitation suggest it could be a target for attackers already inside a network or those who have gained initial access. The fact that it allows an authorized attacker to execute code remotely makes it highly desirable for post-exploitation activities.

  • Network-accessible, authenticated exploitation.
  • No public exploit observed yet.
  • Recently published vulnerability.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Focus on identifying and blocking any unauthorized network traffic to Microsoft Dynamics 365 (on-premises) and determine which authorized users might be impacted. Given the critical severity and potential for network code execution, prioritize immediate containment if a patch is not yet available.

  • Isolate affected Dynamics 365 instances.
  • Monitor for unusual administrative activity.
  • Apply Microsoft security updates when available.

Frequently asked questions

What is Microsoft Dynamics 365 (on-premises)?

Microsoft Dynamics 365 (on-premises) is an enterprise resource planning (ERP) and customer relationship management (CRM) software suite that organizations can install and manage on their own servers. It helps businesses manage core operations like sales, customer service, and financial processes.

What is the weakness class for CVE-2026-42898?

The weakness class for CVE-2026-42898 is CWE-94, Improper control of generation of code. This means the software does not properly restrict how code can be created or modified, potentially allowing an attacker to inject and execute their own code.

How can an attacker exploit CVE-2026-42898?

An authenticated attacker can exploit this flaw by submitting specially crafted input to a network-accessible component, enabling them to execute arbitrary code on the server. This attack requires authenticated access and targets network-facing code generation due to specific input validation flaws.

What is the relevance of CVE-2026-42898 given Halo Surface Signal?

Halo Surface Signal indicates that while this vulnerability affects an on-premises application and requires authenticated internal user access, its critical severity and network-code execution capability make it a concerning threat for post-exploitation activities. Exploitation requires authenticated access and targets network-facing code generation.

What practical steps should be taken regarding CVE-2026-42898?

Organizations should focus on identifying and blocking unauthorized network traffic to Microsoft Dynamics 365 (on-premises). It is crucial to determine which authorized users might be impacted and to isolate affected instances. Monitoring for unusual administrative activity and applying Microsoft security updates when available are also key steps.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified