CVE-2026-42898 – Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

A critical remote code execution vulnerability exists in Microsoft Dynamics 365 On-Premises due to improper control of code generation. The flaw allows an authenticated attacker with low privileges to execute malicious code over the network by modifying process session data within Dynamics CRM. Because exploitation requires no user interaction and can impact systems beyond the vulnerable component’s original security scope, this vulnerability represents a serious enterprise risk.

CVSS Score: 9.9
SEVERITY: Critical
THREAT:
This vulnerability could allow authenticated attackers to remotely execute arbitrary code on affected Dynamics 365 servers. Successful exploitation may result in full server compromise, unauthorized access to business applications, theft of sensitive CRM records, disruption of operations, and lateral movement into connected enterprise systems.

EXPLOITS:
At the time of publication, Microsoft reports that the vulnerability was not publicly disclosed and was not exploited in the wild. Exploit Code Maturity is listed as Unproven, and the exploitability assessment is rated as “Exploitation Unlikely.”

TECHNICAL SUMMARY:
CVE-2026-42898 is caused by improper control of code generation, classified under CWE-94 Code Injection. An authenticated attacker with low privileges can modify the saved state of a Dynamics CRM process session and trigger the application to process maliciously crafted data. This can cause the server to unintentionally execute attacker-controlled code.
The vulnerability has a network attack vector with low attack complexity and does not require user interaction. The CVSS scope is marked as Changed, meaning successful exploitation can impact systems or resources outside the original security boundary managed by the vulnerable component. Confidentiality, integrity, and availability impacts are all rated High.

EXPLOITABILITY:
The affected product is Microsoft Dynamics 365 (on-premises) version 9.1. Exploitation requires a valid authenticated account with low privileges. Attackers can abuse manipulated process session data to trigger remote code execution on the server.

BUSINESS IMPACT:
Compromise of Dynamics 365 infrastructure can expose customer records, operational workflows, financial information, and integrated business systems. Since CRM environments often connect with identity services, databases, and enterprise applications, successful exploitation could lead to broader organizational compromise and operational disruption.

WORKAROUND:
No mitigations or workarounds are listed. Organizations should apply the official Microsoft security update associated with KB5078943 as soon as possible.

URGENCY:
This vulnerability demands immediate attention because it combines a Critical severity rating, network-based exploitation, no user interaction requirements, and high impact across confidentiality, integrity, and availability. Even though exploitation is currently assessed as unlikely, the low privilege requirement significantly lowers the barrier for attackers who already possess valid credentials.