How is CVE-2026-47647 exploited?

Network reachability (required): The attacker must reach the Dynamics 365 service over the network; no physical or local access is needed. Authentication (required): Any low-privilege account is sufficient; the attacker does not need administrative credentials to trigger the escalation. Victim interaction (not-required): No user action is required; the attacker can trigger the vulnerability entirely without involving another person. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other environmental factors.

What is the impact of CVE-2026-47647?

A successful attacker reads all data accessible within Dynamics 365, including customer records, business data, and stored credentials or session tokens. The attacker modifies or deletes persisted records and application configuration across the Dynamics 365 instance. The attacker can crash or make the Dynamics 365 service unavailable to legitimate users. Because the CVSS scope is Changed, the attacker gains impact that extends beyond the Dynamics 365 process boundary and can affect other systems or services on the same host or adjacent infrastructure.

Back to search

CRITICALCVE-2026-47647Published 2026-06-18Modified 2026-06-18CNA microsoft

CVE-2026-47647: Dynamics 365 Elevation of Privilege Vulnerability

Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a network.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper access control vulnerability in Microsoft Dynamics 365 allows a network-accessible attacker with a low-privilege account to elevate their privileges to a higher level within the application. The exploit requires no victim interaction and, given the Changed scope in the CVSS vector, a successful attacker gains control that extends beyond the Dynamics 365 application boundary itself, enabling full confidentiality, integrity, and availability impact across affected systems. No fix version has been published; HarborGuard is tracking this advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Microsoft's advisory channel, within minutes of publication and matched against customer images, including custom-built images that bundle Dynamics 365 components. Any image carrying an affected version is flagged automatically as the record enters the feed.

Available

Triage

Triage is available with CVSS 9.9 Critical scoring applied immediately, with per-environment compliance policy weighting to escalate or suppress noise based on each customer organization's risk posture. Routing to the appropriate team inbox within each customer org is handled as soon as the match is confirmed.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Microsoft advisory each ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy and egress-filtering recommendations to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Dynamics 365 service over the network; no physical or local access is needed.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative credentials to trigger the escalation.
Victim interactionNot required
No user action is required; the attacker can trigger the vulnerability entirely without involving another person.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other environmental factors.

Blast Radius

A successful attacker reads all data accessible within Dynamics 365, including customer records, business data, and stored credentials or session tokens.
The attacker modifies or deletes persisted records and application configuration across the Dynamics 365 instance.
The attacker can crash or make the Dynamics 365 service unavailable to legitimate users.
Because the CVSS scope is Changed, the attacker gains impact that extends beyond the Dynamics 365 process boundary and can affect other systems or services on the same host or adjacent infrastructure.

How HarborGuard Handles This

Available on HarborGuard: this CVE is currently without an upstream fix, so HarborGuard monitors the Microsoft advisory on every ingest cycle and will surface a patched-image rebuild the moment Microsoft publishes a remediated version. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads automatically, without requiring manual intervention. While no patch exists, customers can reduce exposure by applying network-policy isolation to restrict which services can reach Dynamics 365 endpoints, enabling egress filtering to limit lateral movement in the event of a breach, and using feature-flag gating to disable non-essential integrations. Where compliance policy permits, HarborGuard can enforce these compensating controls as policy-as-code rules applied across affected environments. Given the Critical (9.9) severity and the absence of a fix, HarborGuard flags this CVE at the highest escalation tier for all environments where a matching image is detected.

See how HarborGuard automates this

Affected packages

Microsoft / Microsoft Dynamics 365
-

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

References

Dynamics 365 Elevation of Privilege Vulnerability

Metrics

Get notified