CVE-2025-21177

High

Published: 06 February 2025

Published

06 February 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0053 67.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Server-Side Request Forgery (SSRF) in Microsoft Dynamics 365 Sales allows an authorized attacker to elevate privileges over a network.

Security Summary

CVE-2025-21177 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in Microsoft Dynamics 365 Sales. Published on 2025-02-06, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its potential for significant impact.

The vulnerability can be exploited by an authorized attacker with low privileges (PR:L) over the network (AV:N), requiring low attack complexity (AC:L) but user interaction (UI:R). Successful exploitation enables privilege elevation, achieving high confidentiality (C:H) and integrity (I:H) impacts with no availability disruption (A:N) and a changed scope (S:C).

Mitigation guidance is available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21177.

Details

CWE(s): CWE-918

Affected Products

microsoft

dynamics 365 sales

all versions

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21177
Vendor Advisory · secure@microsoft.com