Microsoft Dynamics 365 On-Premises Critical Code Injection (CVE-2026-42898)
A critical code injection vulnerability, tracked as CVE-2026-42898, has been identified in Microsoft Dynamics 365 (on-premises) editions. The National Vulnerability Database assigns this flaw a CVSSv3.1 score of 9.9, labeling it as CRITICAL. This isn’t just a theoretical risk; it’s a direct path to total system compromise if exploited.
The National Vulnerability Database reports that an authenticated attacker can leverage this vulnerability to execute arbitrary code remotely over a network. The ‘Improper control of generation of code’ (CWE-94) classification indicates a severe logic flaw that allows attacker-controlled input to be executed as code. For on-premises deployments, this means an attacker who gains even low-level authenticated access can escalate privileges and achieve full system takeover, potentially moving laterally into other critical business systems.
This isn’t a complex, multi-stage attack requiring advanced tradecraft. The attacker’s calculus is simple: gain initial access, then exploit this to own the box. For defenders, especially CISOs overseeing Dynamics 365 on-premises, this demands immediate attention. Patching is non-negotiable, and a thorough review of access controls for Dynamics 365 instances is paramount, focusing on the principle of least privilege to minimize the blast radius of any initial compromise.
What This Means For You
- If your organization relies on Microsoft Dynamics 365 on-premises, you are directly exposed to a critical remote code execution vulnerability. Prioritize patching for CVE-2026-42898 immediately. Audit all user accounts and service accounts with access to Dynamics 365, ensuring they operate with the absolute minimum necessary privileges. Assume authenticated attackers will attempt to leverage this for full system compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42898 - Microsoft Dynamics 365 Critical Code Injection
title: CVE-2026-42898 - Microsoft Dynamics 365 Critical Code Injection
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
This rule detects potential exploitation attempts against Microsoft Dynamics 365 on-premises by looking for specific URL patterns commonly associated with the CVE-2026-42898 vulnerability. The vulnerability allows for code injection via crafted 'navurl' parameters in the query string, enabling an attacker to execute arbitrary code.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42898/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'Dynamics/Pages/Default.aspx?navurl='
- 'Dynamics/Pages/Default.aspx?navurl=javascript:'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42898 | Code Injection | Microsoft Dynamics 365 (on-premises) |
| CVE-2026-42898 | RCE | execute code over a network |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 21:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fortinet FortiAuthenticator Critical Improper Access Control Vulnerability
CVE-2026-44277 — A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to...
Pingvin Share X Critical 2FA Bypass (CVE-2026-44196)
CVE-2026-44196 — Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an...
Cleanuparr CVE-2026-44183: Critical RCE via X-Forwarded-For Header Spoofing
CVE-2026-44183 — Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior...