A flaw in Microsoft Dynamics 365 allows an already-authenticated attacker to gain higher privileges than they should have, purely over the network — no physical access required. This means a low-privileged user or compromised account could be leveraged to access sensitive business data or administrative functions within Dynamics 365. Given how widely Dynamics 365 is used for CRM and ERP workflows, the potential business impact is significant.

Security Architect’s Take: Audit current Dynamics 365 role assignments and apply the least-privilege principle immediately — remove any unnecessary elevated roles whilst Microsoft’s patch is applied. Prioritise patching for tenants where Dynamics 365 is integrated with other Azure services or holds sensitive customer and financial data.

Original advisory: CVE-2026-47647 Dynamics 365 Elevation of Privilege Vulnerability