CVE-2025-58112
SQL Injection in Microsoft Dynamics 365 Reporting Service
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | dynamics_365_customer_engagement | 9.0.2.3034 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-58112 is a SQL injection vulnerability in Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (9.0.2.3034). It arises from the ability to generate customized reports by uploading Report Definition Language (.rdl) files that contain raw SQL queries. An authenticated user with the "Add Reporting Services Reports" privilege can upload a malicious .rdl file containing arbitrary SQL commands. When the report is generated, these SQL commands are executed by the SQL Server Reporting Service without proper validation.'}, {'type': 'paragraph', 'content': 'Even if the malicious .rdl file is already uploaded and executable by the user, the privilege is not required to trigger the execution. The vulnerability allows execution of arbitrary SQL commands in the underlying database, potentially leading to unauthorized data access or further system compromise depending on the permissions of the SQL Server Reporting Service account.'}] [2]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized execution of arbitrary SQL commands on the underlying database of Microsoft Dynamics 365. An attacker with the required privilege can:
- Access sensitive information from other organizations hosted on the same Dynamics 365 instance, bypassing tenant isolation.
- Compromise the security and integrity of the Dynamics 365 environment.
- Depending on the permissions of the SQL Server Reporting Service account, perform additional actions such as accessing linked servers or executing operating system commands.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious or suspicious .rdl files uploaded to Microsoft Dynamics 365 Customer Engagement (on-premises) reporting service, especially those that contain embedded SQL queries executed via the sp_executesql stored procedure.'}, {'type': 'paragraph', 'content': 'One practical approach is to look for reports that accept arbitrary SQL queries through parameters like QueryText and execute them dynamically. For example, you can search for .rdl files containing SQL commands similar to the following pattern:'}, {'type': 'list_item', 'content': "DECLARE @DynamicSQL NVARCHAR(MAX) SET @DynamicSQL = 'SELECT c1, c2, c3, c4 FROM (' + @QueryText + ') AS DynamicQuery' EXEC sp_executesql @DynamicSQL"}, {'type': 'paragraph', 'content': 'Additionally, you can run SQL queries on the underlying database to detect unusual report executions or uploaded reports with suspicious content. Example detection queries include:'}, {'type': 'list_item', 'content': 'Querying the report catalog or report server database for recently uploaded .rdl files with embedded dynamic SQL.'}, {'type': 'list_item', 'content': 'Monitoring execution logs for reports that execute arbitrary SQL commands or unusual queries such as those returning columns named c1, c2, c3, and c4.'}, {'type': 'paragraph', 'content': 'If you have access to the Dynamics 365 environment, you can attempt to run the proof-of-concept queries (with caution and in a controlled environment) to verify if the vulnerability is exploitable, such as:'}, {'type': 'list_item', 'content': "SELECT @@VERSION as c1, ' ' as c2, ' ' as c3, ' ' as c4"}, {'type': 'list_item', 'content': "SELECT SUSER_NAME() as c1, ' ' as c2, ' ' as c3, ' ' as c4"}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, Microsoft recommends enabling a security setting that blocks elevated queries executed by the Reporting Service account.'}, {'type': 'paragraph', 'content': 'This can be done by running the following PowerShell command in your Dynamics 365 on-premises environment:'}, {'type': 'list_item', 'content': "Set-CrmAdvancedSetting -SettingName 'BlockElevatedReportServiceAccount' -SettingValue 'true'"}, {'type': 'paragraph', 'content': 'This setting prevents the execution of queries with elevated privileges by the SQL Server Reporting Service account, reducing the risk of arbitrary SQL command execution.'}, {'type': 'paragraph', 'content': 'Additionally, review and restrict the privileges of accounts that have the "Add Reporting Services Reports" privilege to trusted users only, and monitor report uploads for suspicious .rdl files.'}] [2]