CVE-2025-64655
Published: 20 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-64655 is an improper authorization vulnerability (CWE-285) in the Dynamics OmniChannel SDK Storage Containers. Published on 2025-11-20T23:15:56.750, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue stems from flawed authorization mechanisms that enable unauthorized privilege elevation over a network.
An unauthorized attacker can exploit this vulnerability remotely with low complexity and no required privileges, though user interaction is necessary. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, specifically by elevating privileges within the affected storage containers.
Security practitioners should consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64655 for details on patches, workarounds, and mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables remote unauthorized privilege escalation through improper authorization in a network-accessible service, directly facilitating T1068 (Exploitation for Privilege Escalation) and T1190 (Exploit Public-Facing Application).