Platform
dotnet
Component
dynamics-365-sales
CVE-2025-21177 describes a server-side request forgery (SSRF) vulnerability discovered in Microsoft Dynamics 365 Sales. This flaw allows an authenticated attacker to potentially escalate privileges and access resources within a network. The vulnerability impacts versions of Dynamics 365 Sales prior to the fixed version (currently unspecified). Microsoft has acknowledged the issue and a patch is expected to be released.
The SSRF vulnerability in Dynamics 365 Sales allows an attacker who has legitimate access to the system to craft malicious requests that appear to originate from within the trusted network. This can be exploited to access internal resources that are not directly exposed to the internet, such as internal APIs, databases, or other sensitive systems. Successful exploitation could lead to unauthorized data access, modification, or deletion. The ability to elevate privileges means an attacker could potentially gain control over Dynamics 365 Sales functionalities and impact other connected services. While the vulnerability requires authentication, the potential for privilege escalation significantly broadens the attack surface.
CVE-2025-21177 was publicly disclosed on February 6, 2025. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability suggests that exploitation is likely achievable. Monitor CISA and Microsoft security advisories for updates and potential exploitation campaigns.
Exploit Status
EPSS
0.53% (67% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-21177 is to upgrade to the patched version of Microsoft Dynamics 365 Sales as soon as it becomes available. Until the patch is applied, consider implementing temporary workarounds to restrict outbound network requests from Dynamics 365 Sales. This can be achieved through network segmentation, firewall rules, or web application firewall (WAF) configurations to block requests to internal or sensitive resources. Review and restrict the permissions of Dynamics 365 Sales users to minimize the potential impact of a successful attack. Monitor Dynamics 365 Sales logs for unusual outbound network activity.
Microsoft has released a security update for Dynamics 365 Sales. It is recommended to install the latest available version to fix the privilege escalation vulnerability. See the Microsoft security bulletin for more details and specific instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-21177 is a server-side request forgery vulnerability in Microsoft Dynamics 365 Sales allowing authenticated attackers to elevate privileges and access internal network resources.
You are affected if you are using Microsoft Dynamics 365 Sales versions prior to the vendor-provided patch. Check your version against the affected range (≤-).
Upgrade to the patched version of Microsoft Dynamics 365 Sales as soon as it becomes available. Implement temporary workarounds such as network segmentation and WAF rules until the patch is applied.
While no public exploits are currently known, the SSRF nature of the vulnerability suggests exploitation is likely achievable. Monitor security advisories for updates.
Refer to the official Microsoft Security Response Center (MSRC) website for the latest advisory and patch information related to CVE-2025-21177.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.