🟠 High | Source: Microsoft Security Response Center
A privilege escalation vulnerability in Microsoft Dynamics 365 on-premises has been assigned CVE-2026-40371, allowing an attacker to gain elevated permissions within the application. Microsoft has corrected its remediation guidance: the fix is contained in Dynamics 365 Server v9.1 Update 1.45 (build 9.1.0045.0011), not the previously stated version 6.2. Organisations that applied the earlier guidance should verify they are running the correct build to ensure they are actually protected.
Security Architect’s Take: Audit your Dynamics 365 on-premises deployments immediately and confirm the installed build is 9.1.0045.0011 or later — do not assume earlier patching attempts were sufficient given the corrected version guidance. If you manage hybrid environments where on-premises Dynamics 365 integrates with Azure services, treat unpatched instances as a potential lateral movement risk and prioritise the update accordingly.
Original advisory: CVE-2026-40371 Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability