Critical SSRF in Microsoft Dynamics 365 Poses Spoofing Risk

The National Vulnerability Database has disclosed CVE-2026-32210, a critical server-side request forgery (SSRF) vulnerability impacting Microsoft Dynamics 365 (Online). This flaw, rated 9.3 CVSS, allows an unauthenticated attacker to perform spoofing over a network. The high CVSS score, coupled with the network attack vector and no required user interaction (UI:R in vector refers to the user being the target of the spoofing, not an action needed for the attack), makes this a serious issue.

SSRF vulnerabilities are particularly dangerous because they enable attackers to force the server-side application to make requests to an arbitrary domain, often internal networks that are otherwise inaccessible. This can lead to information disclosure, port scanning, or even remote code execution in some scenarios. While the National Vulnerability Database specifies ‘spoofing’ as the primary impact, the nature of SSRF suggests broader implications for data confidentiality and integrity within Dynamics 365 environments.

Organizations running Microsoft Dynamics 365 (Online) must prioritize assessing their exposure. Given the ‘critical’ severity and unauthenticated nature, this vulnerability presents a significant attack surface. Defenders should monitor Microsoft’s security advisories closely for patches and mitigation guidance, as the National Vulnerability Database has not yet specified affected product versions.