CVE-2026-40371: Microsoft Dynamics 365 On-Premises Privilege Escalation (CVSS 8.8 HIGH)
Microsoft Dynamics 365 (on-premises) contains a privilege escalation vulnerability that allows an authenticated user to gain elevated permissions over the network. An attacker who already has valid credentials can exploit insufficient permission checks to escalate their access level and perform unauthorized actions within the system. This is a serious flaw because it bypasses the normal access control model that should restrict what authenticated users can do.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-280, CWE-755
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-40371 is a privilege escalation vulnerability (CVSS 8.8 HIGH) stemming from improper handling of permission validation in Microsoft Dynamics 365 on-premises. The flaw is cataloged under CWE-280 (Improper Handling of Insufficient Permissions or Privileges) and CWE-755 (Improper Handling of Exceptional Conditions). The attack vector is network-based, requires low complexity, and demands that an attacker already possess legitimate credentials (PR:L). Once exploited, the vulnerability grants high-impact access to confidentiality, integrity, and availability of the affected Dynamics 365 instance. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog.
Business impact
Organizations running Dynamics 365 on-premises face insider threat risk from authenticated users—such as contractors, departed employees with lingering access, or compromised accounts—who could escalate privileges to modify financial records, customer data, or critical business configurations. This can lead to unauthorized data exfiltration, system sabotage, compliance violations, and reputational damage. The scope is limited to authenticated attackers, but their elevated position post-exploit could enable lateral movement or persistence.
Affected systems
Microsoft Dynamics 365 (on-premises deployments) is affected. This advisory does not cover Dynamics 365 cloud (online) instances unless explicitly stated in the vendor advisory. Organizations should verify their deployment architecture—verify whether you operate on-premises, cloud, or a hybrid model—to determine exposure.
Exploitability
Exploitation requires the attacker to possess valid credentials (authenticated access). Network accessibility is required, but the attack itself requires no user interaction or complex conditions. The low attack complexity and direct network path mean that once an attacker gains initial footing with any legitimate account, privilege escalation is trivial to execute. However, the barrier of entry—obtaining valid credentials—limits the threat to insider scenarios or accounts compromised through phishing, credential theft, or lateral movement.
Remediation
Apply the security update provided by Microsoft for Dynamics 365 on-premises. Organizations should prioritize patching systems in environments where multiple privileged-access roles exist or where guest/contractor accounts have broad baseline permissions. Interim mitigations may include restricting network access to Dynamics 365 on-premises systems via firewall rules, enforcing multi-factor authentication for all user accounts, and conducting access reviews to remove or downgrade unnecessary permissions for low-privilege roles.
Patch guidance
Monitor Microsoft's security update releases and vendor advisories for patched versions of Dynamics 365 on-premises. Apply patches to all affected instances in a staged manner, beginning with non-production environments to validate compatibility. Verify patch installation by confirming the version number against the official Microsoft advisory. Organizations should consult the Microsoft Dynamics 365 on-premises support lifecycle to understand which versions receive security updates.
Detection guidance
Monitor Dynamics 365 audit logs for privilege escalation attempts, including role assignments, permission grants, or access to sensitive tables by low-privilege accounts. Use Security Information and Event Management (SIEM) tools to correlate authentication events with subsequent privilege escalations. Search for unusual API calls or administrative operations initiated by accounts that do not typically perform such actions. If Dynamics 365 is integrated with Microsoft Sentinel or Microsoft Defender for Cloud, leverage built-in detections for privilege escalation patterns.
Why prioritize this
CVE-2026-40371 scores CVSS 8.8 (HIGH) due to the complete compromise of confidentiality, integrity, and availability once an attacker escalates privileges. Although exploitation requires prior authentication, the ease of execution (low complexity, no user interaction) and the high impact make this a critical priority for organizations running on-premises Dynamics 365. Insider threat scenarios and post-compromise lateral movement amplify the risk. Patching should be treated as urgent.
Risk score, explained
The CVSS 8.8 rating reflects: (1) Network-based attack surface (AV:N), (2) Low attack complexity—no special conditions needed once authenticated (AC:L), (3) Requirement for low-level privileges (PR:L), ensuring that any authenticated user can attempt exploitation, (4) No user interaction required (UI:N), enabling automated or opportunistic attacks, and (5) Unrestricted impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability does not cross scope boundaries (S:U), but its impact within a single Dynamics 365 instance is severe. The combination of ease of execution and complete system compromise justifies the HIGH severity.
Frequently asked questions
Does this affect Dynamics 365 Online (cloud) or only on-premises?
The advisory specifically addresses Dynamics 365 on-premises. Cloud deployments should be reviewed separately through Microsoft's cloud security advisories, as Microsoft manages cloud infrastructure and patching independently. Verify your deployment model with your IT team before assuming exposure or exemption.
What should we do if we discover an unauthorized privilege escalation in our Dynamics 365 logs?
Immediately isolate the affected user account, revoke all active sessions, and initiate an incident investigation to determine scope of access and any data modifications. Preserve audit logs for forensic analysis. Engage your incident response team and consider escalating to law enforcement if unauthorized access or data exfiltration is confirmed. Patch the vulnerability immediately.
Can we use firewall rules or network segmentation to reduce risk while we prepare patches?
Yes. Restrict network access to Dynamics 365 on-premises to trusted networks or VPN-only access. Implement strict identity and access management controls, including multi-factor authentication for all user accounts and role-based access control (RBAC) to minimize standing privileges. These measures reduce attack surface while patches are staged.
Is this vulnerability actively exploited in the wild?
The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog as of the advisory date. However, given its high severity and low exploitation complexity, it is prudent to assume potential exploitation and prioritize patching accordingly. Do not delay remediation based on lack of current public exploit reports.
This analysis is provided for informational and educational purposes and does not constitute legal or professional security advice. Vulnerability details and patch status are subject to change; verify all technical claims, patch availability, and affected versions against official Microsoft security advisories and CVSS documentation. Organizations should conduct their own risk assessments and consult qualified security professionals before implementing remediation. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for damages resulting from its use or reliance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9516HIGHCpanel::JSON::XS Denial of Service via UTF-8 BOM and Filter Callbacks
- CVE-2026-48524LOWPyJWT Denial of Service via Unlimited JWKS Requests
- CVE-2026-9792MEDIUMKeycloak Client Policies ROPC Grant Bypass
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution