CVE-2026-55944 – Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability

CVSS 9.8 CRITICAL Critical or Zero Day – Immediate Deployment

“A server that accepts untrusted data without proper validation can give attackers complete control without ever asking for credentials.”

A deserialization of untrusted data vulnerability in Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) allows an unauthorized attacker to execute arbitrary code over the network. An attacker can exploit the vulnerability by sending a specially crafted login request to an affected server. The attack requires no authentication and no user interaction, making it a significant risk for exposed systems. Microsoft has released an official fix for affected deployments.

CVSS Score: 9.8

SEVERITY: Critical

THREAT:
This vulnerability affects Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises). An unauthenticated attacker can send a specially crafted login request to a vulnerable server and execute arbitrary code remotely. Because the attack is performed over the network with no privileges or user interaction required, internet-facing or otherwise accessible servers are at the greatest risk.

EXPLOITS:
At the time of publication, the vulnerability has not been publicly disclosed and Microsoft has not detected active exploitation. Microsoft assesses exploitation as more likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the provided information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by deserialization of untrusted data (CWE-502) within Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises). By sending a specially crafted login request, an attacker can trigger insecure deserialization, resulting in arbitrary code execution on the target server. Successful exploitation can fully compromise the confidentiality, integrity, and availability of the affected system.

EXPLOITABILITY:
The confirmed affected product is Microsoft Dynamics NAV 2018. Microsoft states the vulnerability also affects Microsoft Dynamics 365 Business Central (On Premises), although the affected software table in the provided information confirms only Microsoft Dynamics NAV 2018. Exploitation is performed over the network, requires no privileges, no user interaction, and can be carried out by sending a specially crafted login request to the vulnerable server.

BUSINESS IMPACT:
Microsoft Dynamics platforms frequently manage financial records, customer information, inventory, and other business-critical data. Successful exploitation could allow attackers to gain complete control of an affected server, steal or manipulate sensitive business information, disrupt operations, deploy ransomware, and use the compromised server as a pivot point for attacks against other enterprise systems.

WORKAROUND:
No mitigations or workarounds are available. Microsoft recommends installing the official security update for affected systems.

URGENCY:
This vulnerability should be deployed urgently because it is rated Critical with a CVSS v3.1 base score of 9.8, the highest severity range. The attack can be performed remotely over the network without authentication or user interaction, and Microsoft assesses exploitation as more likely. Organizations running affected Dynamics environments should prioritize deployment of the security update to reduce the risk of complete server compromise.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-502
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.