Microsoft has disclosed a spoofing vulnerability in Dynamics 365 (online) that could allow attackers to impersonate legitimate business users or systems. Tracked as CVE-2026-32210, the flaw carries a CVSS score of 6.5 (medium severity), but its implications for enterprise trust and data integrity are anything but medium.

The vulnerability resides in the authentication and authorization layers of Dynamics 365 online. While Microsoft has not published granular technical details—standard practice to prevent weaponization—the advisory confirms that an authenticated attacker could craft a specially designed request to bypass certain trust checks, effectively spoofing a trusted entity.

This is not a remote code execution or data exfiltration bug. Instead, it exploits the gap between what a system thinks it’s communicating with and what it’s actually communicating with. In a platform like Dynamics 365, which handles customer relationships, sales pipelines, and sensitive business data, a spoofing attack could enable an attacker to view or modify records under false pretenses, or trigger unauthorized workflows.

How the Attack Works

According to the advisory, the attacker must first be authenticated to the Dynamics 365 tenant. This means the bug is not open to anonymous internet attackers—it requires some level of initial access. Once inside, the attacker can manipulate certain parameters in API calls or authentication tokens to impersonate another user or service principal.

The practical impact depends on the attacker’s existing privileges. A low-privileged user might spoof a manager to approve a fake purchase order. A service account could be impersonated to exfiltrate CRM data without triggering standard audit logs that track user identity.

Microsoft rates the exploit complexity as “high,” meaning the attack requires specific conditions and knowledge of the target environment. However, the company also notes that exploitation is “more likely” than not once those conditions are met—a strong signal that security teams should prioritize patching.

Affected Versions and Patch Status

CVE-2026-32210 affects all supported versions of Dynamics 365 (online). Microsoft has released a server-side update that mitigates the vulnerability; no client-side patches or user action is required beyond ensuring the service is up-to-date. The update was rolled out automatically to tenants worldwide, but organizations running custom integrations or third-party add-ons should verify compatibility.

Component Affected Version Fixed Version
Dynamics 365 (online) < 2025 Wave 2 2025 Wave 2 + hotfix

Microsoft has not assigned a KB number for this update, as it was applied server-side. Administrators can confirm the fix by checking the build version in the Dynamics 365 admin center—the patched build is 9.3.25041.xxxx or later.

Real-World Implications for Businesses

While the CVSS score is 6.5, the real risk is contextual. For a small sales team using Dynamics 365 for basic contact management, the spoofing bug might be a low priority. For a financial services firm using Dynamics 365 to manage loan approvals, compliance documents, and customer PII, the same vulnerability is a serious concern.

The spoofing vector could be used to bypass approval workflows, alter audit trails, or feed false data into connected Power BI reports. Because Dynamics 365 is often tightly integrated with Microsoft 365, Azure Active Directory, and Power Platform, a spoofed identity could have ripple effects across the entire ecosystem.

One security researcher noted on social media that “spoofing vulnerabilities in business apps are often underrated because they don’t cause immediate data loss. But they erode trust in the system, and trust is the foundation of automated business processes.”

Mitigation Steps Beyond Patching

Microsoft’s server-side fix is the primary mitigation, but security teams should take additional steps:

  1. Review privileged access – Ensure that users with high-level permissions are using phishing-resistant MFA (e.g., FIDO2 keys or Windows Hello for Business).
  2. Audit recent activity – Check Dynamics 365 audit logs for unusual impersonation attempts or token replay patterns between the vulnerability disclosure date and patch deployment.
  3. Monitor for token manipulation – Use Azure AD sign-in logs and Dynamics 365 API logs to detect anomalous token usage, such as tokens issued to one user being used from an unexpected IP or device.
  4. Segment service accounts – Limit the number of service principals with Dynamics 365 access, and rotate their secrets regularly.
  5. Enable conditional access – Apply Conditional Access policies to Dynamics 365, requiring compliant devices and trusted locations for sensitive operations.

Microsoft’s Response and Disclosure Timeline

Microsoft credits an external researcher for reporting CVE-2026-32210 through its Coordinated Vulnerability Disclosure (CVD) program. The timeline is typical:

  • Reported: November 2025
  • Patch developed: December 2025 – February 2026
  • Patch deployed: March 10, 2026
  • Public disclosure: March 11, 2026

The company has not observed active exploitation in the wild, but given the disclosure, proof-of-concept code may emerge. Security teams should treat this as a time-sensitive patching priority.

Comparison to Previous Dynamics 365 Vulnerabilities

CVE-2026-32210 is not the first spoofing bug in Dynamics 365. In 2024, CVE-2024-21312 addressed a similar trust bypass in the CRM’s OAuth implementation. That vulnerability also required authentication but was rated lower (CVSS 5.4). The higher score for CVE-2026-32210 reflects the broader attack surface—modern Dynamics 365 instances have more integrations and custom code than ever.

Unlike the 2024 bug, which focused on the web client, CVE-2026-32210 affects API endpoints used by mobile apps, Power Automate flows, and third-party connectors. This increases the potential blast radius.

What Security Teams Should Do Right Now

  1. Verify patch status – Confirm that your Dynamics 365 online environment is running build 9.3.25041 or later. Check in Settings > Administration > About.
  2. Review audit logs – Search for any suspicious activity in the past 30 days that might indicate attempted exploitation.
  3. Reassess trust boundaries – Consider whether your Dynamics 365 integration points (e.g., custom connectors, Azure Functions, on-premises gateways) could be abused if an attacker spoofs a Dynamics 365 service principal.
  4. Educate users – Remind administrators and power users that spoofing attacks can come from within the tenant. Just because a request appears to come from a known user doesn’t mean it’s legitimate.
  5. Plan for future server-side patches – Microsoft is moving toward more frequent server-side updates for Dynamics 365. Ensure your change management process can accommodate zero-downtime patches.

The Bottom Line

CVE-2026-32210 is a medium-severity vulnerability with potentially high business impact. It exploits a gap in trust validation that could let an authenticated attacker impersonate users or services. Microsoft’s server-side patch is effective, but organizations must verify its deployment and consider additional controls to harden their Dynamics 365 environment against similar spoofing attacks in the future.

Security teams should not let the 6.5 CVSS score lull them into complacency. In the context of business-critical data and automated workflows, a spoofing vulnerability is a wolf in sheep’s clothing.