Microsoft Dynamics 365 On-Premises Authenticated Code Injection RCE (Scope Change)

VULNERABILITY OVERVIEW

An improper control of code generation (CWE-94) vulnerability in Microsoft Dynamics 365 on-premises allows any low-privileged authenticated attacker to execute arbitrary code over the network by modifying the saved state of a process session in Dynamics CRM. The vulnerability is rare in that it carries a scope change flag, meaning successful exploitation can impact systems beyond the vulnerable component itself — a significant blast-radius indicator for enterprises running Dynamics CRM with connected business workflows and customer data. No user interaction is required. Microsoft urges immediate customer action (unlike several Azure-side fixes this month handled server-side).

CVSS BREAKDOWN

CITATIONS

• → Microsoft MSRC: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898
• → CrowdStrike May 2026 Patch Tuesday: https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-may-2026/
• → SC World: https://www.scworld.com/news/patch-tuesday-no-zero-days-among-137-microsoft-cves-4-word-rces
• → The Register: https://www.theregister.com/patches/2026/05/13/doozy-of-a-patch-tuesday-includes-30-critical-microsoft-cves/
• → Security Boulevard: https://securityboulevard.com/2026/05/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103/