CVE-2026-48561 – Microsoft Copilot Remote Code Execution Vulnerability

CVSS 9.6 CRITICAL Critical or Zero Day – Immediate Deployment

“AI assistants are becoming trusted productivity tools, but a single unchecked request can turn that trust into an opportunity for attackers.”

A command injection vulnerability in Microsoft Copilot allows an unauthorized attacker to execute code over the network. An attacker can exploit the flaw by hosting a malicious website that causes Microsoft Edge for Android to automatically send crafted prompts to Copilot when a user visits the site. Because the affected component processes these requests without confirmation or origin validation, unintended actions may occur without the user’s awareness. Microsoft has released security updates for the affected Copilot applications.

CVSS Score: 9.6

SEVERITY: Critical

THREAT:
This vulnerability affects Microsoft Copilot by allowing command injection through specially crafted prompts delivered over the network. An attacker does not require privileges and can trigger the attack by enticing a user to visit a malicious website. The affected component may process attacker-controlled prompts without validating their origin or requesting user confirmation, potentially allowing code execution and unauthorized actions. The vulnerability also has a Scope: Changed rating, indicating that successful exploitation can impact resources beyond the originally vulnerable component.

EXPLOITS:
At the time of publication, the vulnerability has not been publicly disclosed and Microsoft has not detected active exploitation. Microsoft assesses exploitation as less likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the provided information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by improper neutralization of special elements used in a command (CWE-77), resulting in a command injection flaw within Microsoft Copilot. According to Microsoft, an attacker can host a malicious website that causes Microsoft Edge for Android to automatically submit crafted prompts to Copilot. Because these requests are processed without adequate confirmation or origin checks, Copilot may execute unintended actions such as accessing or modifying data. Microsoft also notes that the Changed scope reflects that successful exploitation can cross a security boundary, allowing impacts beyond the vulnerable component.

EXPLOITABILITY:
Affected products include Microsoft 365 Copilot for Android and Microsoft 365 Copilot for iOS. Exploitation is performed over the network, requires no privileges, and requires user interaction, specifically a user visiting a malicious website. The attack has low complexity, making exploitation straightforward once the user interaction occurs.

BUSINESS IMPACT:
As AI assistants become integrated into daily business workflows, vulnerabilities affecting them can expose sensitive corporate information and automate malicious actions. Successful exploitation could allow attackers to execute code, manipulate data processed by Copilot, and potentially affect systems beyond the initial target because of the scope change. Organizations using Microsoft Copilot should prioritize remediation to reduce the risk of compromise through malicious web content.

WORKAROUND:
No mitigations or workarounds are available. Microsoft recommends installing the available security updates for affected Microsoft 365 Copilot applications.

URGENCY:
This vulnerability should be deployed urgently because it is rated Critical with a CVSS v3.1 base score of 9.6, one of the highest severity ratings. Although Microsoft has not observed active exploitation, the combination of network-based attack capability, no privileges required, low attack complexity, and the potential to cross security boundaries makes this a high-priority update for organizations using Microsoft 365 Copilot.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
CWE Classification
CWE-77
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.