CVE-2025-58112 Overview
CVE-2025-58112 is a SQL Injection vulnerability in Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (9.0.2.3034). The vulnerability exists in the report generation functionality, which allows the upload and processing of Report Definition Language (RDL) files containing raw SQL queries. These files are processed by SQL Server Reporting Services (SSRS), enabling attackers with the "Add Reporting Services Reports" privilege to execute arbitrary SQL commands against the underlying database.
Critical Impact
Attackers can execute arbitrary SQL commands in the underlying database, potentially accessing linked servers or executing operating system commands depending on SSRS service account permissions.
Affected Products
- Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034)
Discovery Timeline
- 2026-03-18 - CVE CVE-2025-58112 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-58112
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), affecting the report generation mechanism in Microsoft Dynamics 365 Customer Engagement. The flaw stems from the application's handling of RDL files, which are XML-based documents used to define SQL Server Reporting Services reports.
When a user uploads an RDL file containing custom SQL queries, the application processes these queries through SQL Server Reporting Services without adequate validation or sanitization of the embedded SQL statements. This allows an attacker to craft malicious RDL files containing arbitrary SQL commands that will be executed when the report is generated.
The attack surface extends beyond simple data exfiltration. Depending on the permissions granted to the SQL Server Reporting Services account, an attacker may leverage this vulnerability to access linked servers within the database infrastructure or execute operating system commands through mechanisms such as xp_cmdshell, leading to potential system-level compromise.
Root Cause
The root cause of this vulnerability lies in insufficient input validation of SQL queries embedded within uploaded RDL files. The application trusts the contents of RDL files and passes embedded queries directly to SQL Server Reporting Services for execution without proper sanitization or parameterization. This trust relationship between the application and SSRS creates an injection point where malicious SQL can be introduced.
Attack Vector
The attack requires network access and low-privilege authentication. An attacker must possess an account with the "Add Reporting Services Reports" privilege to upload a malicious RDL file. However, if a malicious RDL file has already been uploaded to the system and is executable by the user, the upload privilege is not required—the attacker simply needs to trigger the report generation to execute the embedded SQL commands.
The attack flow involves crafting an RDL file containing malicious SQL statements within the report's data source definition or dataset queries. Upon triggering report generation, the embedded SQL commands execute with the privileges of the SSRS service account, potentially allowing escalation to database administrator or even operating system-level access.
Detection Methods for CVE-2025-58112
Indicators of Compromise
- Suspicious RDL file uploads containing unusual SQL commands such as xp_cmdshell, OPENROWSET, or queries targeting system tables
- Unexpected SQL Server Reporting Services activity, particularly report executions that coincide with database anomalies
- Audit logs showing privilege escalation attempts or access to linked servers from SSRS processes
Detection Strategies
- Monitor SQL Server audit logs for queries originating from SSRS that contain suspicious patterns such as system stored procedures or dynamic SQL execution
- Implement file integrity monitoring on the ReportServer database and RDL file storage locations
- Configure alerts for RDL file uploads by users outside of approved report development roles
Monitoring Recommendations
- Enable detailed logging for SQL Server Reporting Services, including execution logs and data source access patterns
- Implement database activity monitoring to detect anomalous queries executed under SSRS service account context
- Review and audit all existing RDL files for embedded SQL queries that may indicate prior compromise
How to Mitigate CVE-2025-58112
Immediate Actions Required
- Audit all accounts with "Add Reporting Services Reports" privilege and restrict to essential personnel only
- Review existing RDL files in the system for potentially malicious SQL content
- Implement network segmentation to limit access to SSRS endpoints from untrusted networks
- Consider temporarily disabling RDL upload functionality until patches are applied
Patch Information
Organizations should monitor Microsoft's official security advisories for patches addressing this vulnerability. Additional technical details and proof-of-concept information may be available in the security researcher's GitHub Gist.
Workarounds
- Restrict the "Add Reporting Services Reports" privilege to a minimal set of trusted administrators
- Configure SQL Server Reporting Services to run under a low-privilege service account with minimal database permissions
- Disable xp_cmdshell and other dangerous extended stored procedures on the SQL Server instance
- Implement stored procedure execution restrictions to prevent linked server access from SSRS queries
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
