CVE-2024-35248 Overview
CVE-2024-35248 is an elevation of privilege vulnerability in Microsoft Dynamics 365 Business Central. The flaw allows a network-based attacker to gain elevated privileges within the application without requiring authentication or user interaction. Microsoft assigned a CVSS 3.1 base score of 7.3, and the vulnerability is mapped to [CWE-287] Improper Authentication and [CWE-1390] Weak Authentication. The Exploit Prediction Scoring System (EPSS) places this issue at 1.701% with an 82.6 percentile ranking, indicating elevated exploitation likelihood relative to most CVEs.
Critical Impact
An unauthenticated attacker with network access to a vulnerable Dynamics 365 Business Central instance can elevate privileges and gain unauthorized access to confidentiality, integrity, and availability of business data.
Affected Products
- Microsoft Dynamics 365 Business Central 2023 Release Wave 1
- Microsoft Dynamics 365 Business Central 2023 Release Wave 2
- Microsoft Dynamics 365 Business Central 2024 Release Wave 1
Discovery Timeline
- 2024-06-11 - CVE-2024-35248 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-35248
Vulnerability Analysis
The vulnerability resides in the authentication and authorization logic of Microsoft Dynamics 365 Business Central. An attacker reaching the application over the network can bypass intended privilege boundaries and perform actions reserved for higher-privileged accounts. Microsoft categorized the flaw as elevation of privilege, and the CWE mapping points to weak authentication controls rather than memory corruption or injection.
Successful exploitation does not require credentials or user interaction. This expands the threat surface to any actor able to reach the Business Central endpoint, including internal users on the same network and external attackers if the service is exposed.
Root Cause
The root cause aligns with [CWE-287] Improper Authentication and [CWE-1390] Weak Authentication. The application accepts requests or session states that should be rejected, allowing an attacker to act with privileges beyond those granted to their session. Microsoft has not published implementation-level details in the public advisory.
Attack Vector
The attack vector is network-based with low attack complexity. The attacker sends crafted requests to the Business Central service over its exposed network interface. Because the issue affects authentication, the attacker does not need valid credentials to begin the attack chain. Specific exploitation details have not been released, and no public proof-of-concept exists at the time of writing.
No verified exploitation code is available. Refer to the Microsoft Security Update Guide for vendor-supplied technical context.
Detection Methods for CVE-2024-35248
Indicators of Compromise
- Unexpected privilege changes or new administrative role assignments within Business Central audit logs.
- Authentication events originating from unusual IP ranges or service accounts performing actions outside their normal scope.
- Anomalous API calls to Business Central endpoints lacking corresponding interactive user sessions.
Detection Strategies
- Enable and centralize Business Central activity, telemetry, and audit logs in a SIEM for correlation against identity and network telemetry.
- Baseline normal privileged operations per user and alert on deviations such as bulk record modifications or permission changes.
- Monitor for requests to administrative endpoints from sessions that did not complete a standard authentication flow.
Monitoring Recommendations
- Forward Business Central and Azure sign-in logs to a centralized analytics platform for retention and threat hunting.
- Track failed-to-successful authentication patterns and post-authentication privilege transitions in near real time.
- Continuously verify that all Business Central tenants are running supported, patched builds.
How to Mitigate CVE-2024-35248
Immediate Actions Required
- Apply the Microsoft June 2024 security update for Dynamics 365 Business Central across all affected release waves.
- Inventory all Business Central instances, including on-premises deployments, and verify patch status.
- Restrict network access to Business Central management endpoints to trusted administrative networks only.
- Review recent privilege assignments and audit logs for signs of pre-patch abuse.
Patch Information
Microsoft released a security update for CVE-2024-35248 on June 11, 2024. Detailed patch availability per release wave is published in the Microsoft Security Update Guide for CVE-2024-35248. Online (SaaS) tenants are updated by Microsoft, while on-premises customers must deploy the corresponding cumulative update manually.
Workarounds
- No vendor-supplied workaround replaces the patch. Apply the security update as the primary remediation.
- Reduce exposure by placing Business Central behind a VPN or zero-trust network access gateway until patched.
- Enforce least-privilege role assignments and remove dormant or excessive administrative accounts.
# Verify Business Central platform build on Windows host
Get-NAVServerInstance | Select-Object ServerInstance, Version, State
# Restrict inbound access to management endpoints via Windows Firewall
New-NetFirewallRule -DisplayName "BC-Admin-Restrict" -Direction Inbound \
-Protocol TCP -LocalPort 7045,7046,7047,7048,7049 \
-RemoteAddress 10.0.0.0/24 -Action Allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
