Platform
dotnet
Component
microsoft-dataverse
CVE-2025-29807 is a Remote Code Execution (RCE) vulnerability affecting Microsoft Dataverse. This flaw allows an authenticated attacker to execute arbitrary code over a network by exploiting the deserialization of untrusted data. The vulnerability impacts versions of Dataverse less than or equal to the currently known affected range. Microsoft has not yet released a fixed version.
Successful exploitation of CVE-2025-29807 grants an attacker the ability to execute arbitrary code within the context of the Dataverse service. This could lead to complete system compromise, data exfiltration, and disruption of business operations. Given the potential for remote code execution, the blast radius is significant, potentially impacting all data and services reliant on Microsoft Dataverse. The requirement for authentication limits the immediate scope, but a compromised user account could be leveraged to escalate privileges and gain broader access.
CVE-2025-29807 was publicly disclosed on 2025-03-21. The vulnerability's exploitation context is currently unclear, with no public proof-of-concept (POC) available. Its inclusion in the Microsoft security bulletin suggests a potential for exploitation, but the absence of public exploits indicates a lower immediate risk. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.96% (76% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a fixed version, immediate mitigation strategies are crucial. Implement strict input validation and sanitization for all data entering the Dataverse system to prevent malicious payloads from being deserialized. Consider network segmentation to limit the potential impact of a successful attack. Monitor Dataverse logs for suspicious activity, particularly related to deserialization processes. While a patch is pending, regularly review Microsoft security advisories for updates and guidance.
Aplique las actualizaciones de seguridad proporcionadas por Microsoft para Microsoft Dataverse. Consulte el boletín de seguridad de Microsoft para obtener más información y las actualizaciones correspondientes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-29807 is a Remote Code Execution vulnerability in Microsoft Dataverse that allows an authenticated attacker to execute code over a network through deserialization of untrusted data.
You are affected if you are using Microsoft Dataverse versions less than or equal to the currently known affected range. Check your version and monitor Microsoft security advisories.
A fixed version is currently unavailable. Mitigate by implementing strict input validation, network segmentation, and monitoring Dataverse logs.
There are currently no publicly known active exploits, but the vulnerability's severity warrants proactive mitigation.
Refer to the official Microsoft Security Response Center (MSRC) advisory for CVE-2025-29807 when it becomes available.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.