External risk intelligence

Microsoft Dynamics 365 Privilege Escalation Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-47647

Microsoft Dynamics 365 is commonly deployed as an internet-facing business application or enterprise resource planning service, making its web-based interfaces and associated API endpoints frequently accessible from the public internet in standard deployment patterns.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Microsoft Dynamics 365 that could allow an authenticated user to gain elevated privileges across the network. The issue stems from improper access controls within the software, which, if exploited, could have significant implications for data integrity and system control.

Authorized users can gain higher system access.
Impacts internet-facing business and ERP applications.
Focus on confirming relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with existing access to Microsoft Dynamics 365 could exploit this vulnerability to gain higher privileges within the system. This would involve leveraging improper access controls to escalate their permissions, potentially leading to significant compromise of data and system functions.

Requires authenticated access.
Exploits improper access controls.
Leads to privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

An authorized attacker could elevate privileges over a network within Microsoft Dynamics 365, potentially impacting the confidentiality, integrity, and availability of the system and its data. This could occur when an attacker with legitimate access exploits the improper access control to gain higher permissions.

System and user data confidentiality.
Attacker exploits improper access control.
Unauthorized access and system modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Microsoft Dynamics 365 could allow an authorized user to gain elevated privileges over a network. Action is required by the Dynamics 365 application owner, likely in coordination with the infrastructure or platform teams responsible for the Dynamics 365 environment. The first step is to identify all deployed instances of Dynamics 365, assess their external reachability and business criticality, and then confirm the exact ownership of each instance to prioritize and plan remediation.

Application owners must prioritize this issue.
Verify external reachability and business criticality.
Plan remediation with infrastructure teams.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Microsoft Dynamics 365?

Microsoft Dynamics 365 is an enterprise-grade platform that combines customer relationship management (CRM) and enterprise resource planning (ERP) tools. Organizations use it to manage business processes like sales, finance, operations, and customer service. It functions as a central hub for sensitive corporate data and complex workflows, often serving as the backbone for managing day-to-day business interactions and organizational intelligence.

How does this CVE-2026-47647 vulnerability work?

This issue is categorized as improper access control (CWE-284). In plain English, the software fails to properly verify or enforce the permission boundaries that should restrict what a user can do. Because of this flaw, an authenticated user who is already inside the system can bypass these checks to elevate their privileges, effectively granting themselves higher levels of system control or administrative access than they were originally authorized to possess.

Do I need to worry if an attacker does not have an account?

No. The vulnerability specifically requires the attacker to have existing, authenticated access to the Microsoft Dynamics 365 environment. This means an unauthenticated user or an external visitor without valid credentials cannot trigger the privilege escalation. The flaw is not a bypass of the login screen itself; it is a breakdown of control that happens after a user has already successfully entered the application.

Why is this CVE considered high relevance for me?

Halo Surface Signal indicates that Microsoft Dynamics 365 is frequently deployed as an internet-facing service or web-accessible business application. Because these platforms are often exposed to the public internet to facilitate remote work and external partner connectivity, the barrier for an attacker to reach the application is low. If your instance is reachable via the web, it is more visible to potential threats.

How should I respond to this threat?

Begin by identifying all Dynamics 365 instances currently running in your environment. Since this requires administrative access to exploit, coordinate with your infrastructure and application owners to assess the business criticality of each instance. Once you have a complete inventory and understand which systems are internet-facing, work with your teams to plan and prioritize the necessary security updates to close the access control gap.

References

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47647

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.