CVE-2026-42898 Overview
CVE-2026-42898 is a code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute arbitrary code over a network. The flaw is tracked under CWE-94: Improper Control of Generation of Code and affects the on-premises distribution of the Dynamics 365 business application platform.
Microsoft published the advisory on May 12, 2026. The vulnerability requires low privileges and no user interaction, and exploitation can cross security scopes to impact components beyond the vulnerable service.
Critical Impact
An authenticated attacker can execute code remotely on Dynamics 365 on-premises servers, compromising confidentiality, integrity, and availability of business-critical CRM and ERP data.
Affected Products
- Microsoft Dynamics 365 (on-premises)
- Deployments using the affected CPE cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*
- Self-hosted Dynamics 365 environments exposed to authenticated network users
Discovery Timeline
- 2026-05-12 - CVE-2026-42898 published to NVD
- 2026-05-12 - Microsoft releases security update guidance via MSRC
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42898
Vulnerability Analysis
The vulnerability stems from improper control over the generation of code within Microsoft Dynamics 365 (on-premises). The application accepts attacker-influenced input that is later evaluated or compiled as executable code, mapping directly to CWE-94.
An authorized user with valid credentials can submit crafted payloads that the server processes as code rather than data. Because the issue results in a scope change, exploitation can affect resources managed by components other than the vulnerable one, expanding the blast radius beyond the initial process boundary.
The EPSS score is 0.076% as of May 17, 2026, indicating low predicted exploitation activity at publication. However, the high impact on integrated CRM and ERP data warrants prompt remediation.
Root Cause
The root cause is insufficient validation and sanitization of input that is passed into a code generation or evaluation routine. When user-controlled data reaches a dynamic execution surface without strict filtering, Dynamics 365 generates and runs code derived from that input. Refer to the Microsoft CVE-2026-42898 Update Guide for vendor-specific technical context.
Attack Vector
The attack is network-based and requires the attacker to hold an authenticated session against the Dynamics 365 on-premises deployment. No user interaction is needed. After authenticating with low privileges, the attacker submits crafted requests to a code-generation endpoint, triggering arbitrary code execution in the service context. The compromised process can then access integrated databases, service accounts, and downstream systems.
No public proof-of-concept exploit, exploit kit entry, or CISA KEV listing has been published for CVE-2026-42898 at the time of writing.
Detection Methods for CVE-2026-42898
Indicators of Compromise
- Unexpected child processes spawned by Dynamics 365 service accounts, including w3wp.exe launching shells, scripting hosts, or cmd.exe
- Outbound network connections from Dynamics 365 application servers to unfamiliar external hosts
- New or modified server-side scripts, custom workflow assemblies, or plugin registrations submitted by low-privilege accounts
- Authentication events from low-privilege Dynamics 365 users followed by code execution telemetry on the host
Detection Strategies
- Monitor IIS and Dynamics 365 application logs for anomalous POST payloads to customization, workflow, or plugin registration endpoints
- Correlate authenticated Dynamics 365 user sessions with process creation events on the underlying Windows server
- Apply behavioral detection that flags code compilation or script interpreters spawned from CRM web worker processes
- Hunt for newly registered custom workflow activities or business logic submitted shortly before suspicious process activity
Monitoring Recommendations
- Forward Dynamics 365 trace logs, IIS logs, and Windows Security event logs to a centralized SIEM for correlation
- Alert on Dynamics 365 service account activity that deviates from baseline process and network behavior
- Track privilege changes and new plugin or workflow deployments performed by non-administrative users
How to Mitigate CVE-2026-42898
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-42898 to all on-premises Dynamics 365 servers
- Audit Dynamics 365 user accounts and remove or restrict accounts that no longer require access
- Review custom plugins, workflows, and server-side scripts deployed in the last 90 days for unauthorized changes
- Restrict network exposure of Dynamics 365 on-premises servers to trusted internal networks and VPN users only
Patch Information
Microsoft has published remediation guidance through the Microsoft CVE-2026-42898 Update Guide. Administrators should consult MSRC for the specific cumulative update or hotfix applicable to their Dynamics 365 on-premises version and apply it during the next maintenance window.
Workarounds
- Enforce least privilege on Dynamics 365 security roles, limiting customization and plugin registration permissions to administrators
- Place Dynamics 365 application endpoints behind a web application firewall configured to inspect requests to customization APIs
- Disable or tightly control unused custom code execution features such as custom workflow assemblies where not required
- Require multi-factor authentication for all Dynamics 365 users to reduce the risk of credentialed access by attackers
# Configuration example: restrict Dynamics 365 endpoints to trusted subnets via Windows Firewall
New-NetFirewallRule -DisplayName "Restrict-Dynamics365-HTTPS" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-RemoteAddress 10.0.0.0/8,192.168.0.0/16 `
-Action Allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
