Microsoft has released a security update to fix an information disclosure vulnerability in Dynamics 365 on-premises versions, tracked as CVE-2025-53728. The flaw, classified as allowing an authenticated attacker to disclose sensitive information over a network, can be exploited to siphon business data, session tokens, and configuration secrets from unpatched servers. While the vendor has not assigned a CVSS score in public advisory text, technical analysis and historical patterns strongly suggest the issue stems from improper input handling—likely a Cross‑Site Scripting (XSS) vector—that can be triggered through crafted record fields, web resources, or URL parameters. Cybersecurity researchers and SOC teams have begun circulating detailed guidance for detection, mitigation, and incident response, emphasizing that speed is critical because attackers are increasingly weaponizing flaws in on-premises Microsoft products, as seen in the recent wave of SharePoint exploitation.
Technical Breakdown: What the Vulnerability Actually Does
CVE-2025-53728 resides in the Dynamics 365 on-premises application layer—specifically, the way the platform processes and renders user‑supplied content. According to the Microsoft Security Response Center (MSRC) advisory, an attacker who is authorized on the network can leverage the flaw to exfiltrate information. This usually means the attacker must have some level of authenticated access, even if only low‑privileged. The underlying weakness is a failure to properly neutralize or encode user input before it is reflected back to other users’ browsers or returned in API responses. The result is a classic information disclosure / XSS condition: malicious script or exfiltration payloads can be injected into a Dynamics record, a note field, a form, or even a crafted URL, and when an unsuspecting—often privileged—user later views the affected page, the payload executes in their browser context.
In live environments, such bugs give attackers a reliable way to:
- Steal session tokens and API tokens that are accessible to the browser (unless cookies are properly HttpOnly).
- Scrape and forward entire CRM records, including customer details, leads, contracts, and internal notes.
- Spoof the Dynamics interface to phish credentials—showing a fake login prompt that harvests usernames and passwords.
- Trigger privileged actions on behalf of the victim (akin to a CSRF‑style attack) by making the browser issue requests to Dynamics endpoints.
- Discover integration endpoints, connection strings, or service account names that can be used in lateral movement.
The MSRC advisory deliberately uses cautious language (“allows an authorized attacker to disclose information”), but in practice, a successful exploit can quickly escalate to a full‑blown data breach or serve as the entry point for chaining into other vulnerabilities. Previous Dynamics on‑prem information disclosure advisories (such as CVE‑2023‑24891 and CVE‑2023‑36020) followed a similar profile, and many organizations only recognized the severity after seeing evidence of exfiltration.
Attack Chain and Real‑World Impact
Based on technical analysis of comparable Dynamics vulnerabilities, the typical attack chain for CVE‑2025‑53728 unfolds in three stages:
1. Injection – The attacker places a payload inside a Dynamics record field (e.g., a contact’s description, a case note) or a custom web resource. This could be a stored XSS payload or a reflected one delivered through a malicious link to a Dynamics endpoint.
2. Trigger – A legitimate user—often an administrator, sales manager, or support agent—opens the record or clicks the link. The Dynamics web application renders the un‑neutralized content, causing the browser to execute the attacker’s script or transmit sensitive data to an external server.
3. Exfiltration/Lateral Movement – The attacker receives the stolen data (session cookies, CRM records, configuration values) and may use it to impersonate the victim, pivot to connected systems (SharePoint, Power Automate, SQL Server), or install additional persistence mechanisms.
Because Dynamics on‑premises installations often store highly confidential business data—sales pipelines, PII, financial forecasts—the impact can be devastating. Even if only low‑privilege information appears to be accessible initially, attackers frequently chain this with misconfigurations or other weaknesses to escalate their foothold. For example, leaked service account tokens can grant direct database access or allow an attacker to modify plugins. In one historical case, a Dynamics XSS flaw led to the exposure of integration keys that were then used to breach a connected Azure‑hosted application.
What to Do Right Now: Immediate Mitigations
Microsoft’s official fix is the definitive remediation. However, until the security update can be tested and deployed across all production servers, every organization running Dynamics 365 on‑prem must implement the following compensating controls to reduce the immediate attack surface.
Network and Access Controls
- Restrict external access – Place the Dynamics front‑end behind a VPN, an application gateway with IP allow‑listing, or a reverse proxy that enforces strong authentication. Disable any public‑facing endpoints that are not strictly required.
- Enforce least privilege – Conduct an urgent audit of user roles and revoke unnecessary administrative privileges. Remove stale service accounts and enable multi‑factor authentication (MFA) for all admin accounts.
Web Application Firewall (WAF) Rules
- Deploy a WAF in front of the Dynamics instance and activate XSS‑specific rule sets. Configure rules that detect and block common injection payloads:
<scripttags,on*event handlers,javascript:URI schemes, and excessive percent‑encoded strings. - While a WAF cannot permanently replace patching, it can buy time by filtering the most common exploitation attempts.
Browser and Server Hardening
- Set the
HttpOnlyandSecureflags on all session cookies so that JavaScript cannot read cookie values, even if an XSS payload executes. - Deploy a strict Content Security Policy (CSP) that disallows inline scripts and restricts
script-srcto trusted domains. If Dynamics customizations rely on inline scripts, test the CSP thoroughly in a staging environment first; a report‑only mode can be used to gauge the impact without breaking functionality.
Application‑Level Short‑Term Fixes
- Temporarily disable or sanitize any free‑form rich text fields, HTML/JavaScript web resources, or custom upload points that could serve as injection vectors.
- Configure Dynamics auditing to log all changes to record fields and web resources, ensuring that injection attempts are recorded.
Detection and Threat Hunting: What Your SOC Should Look For
Given that attackers may already be probing for this vulnerability, SOC teams should immediately begin monitoring for indicators of compromise. The following approaches are recommended by incident response analysts familiar with Dynamics security:
Log Analysis Patterns
- Search Dynamics audit logs and IIS request logs for the presence of suspicious strings in request parameters or record field updates:
<script,onload=,onerror=,onmouseover=and similar HTML event handlersjavascript:ordata:text/htmlURIs- Long, seemingly random query strings or JSON blobs in
POSTbodies - Excessive base64‑encoded payloads in URL parameters
- Look for atypical spikes in record views by accounts that do not normally access those entities, or for high‑volume reads immediately after a user‑initiated change.
Endpoint and Browser Signals
- EDR solutions may catch browsers spawning unusual child processes or making outbound network connections to unknown external domains right after a user accesses a Dynamics page.
- Be alert for unexpected
POSTrequests from a user’s browser to external servers containing CRM‑related data.
SIEM Example Queries (Conceptual)
- Splunk/Elastic/ArcSight: Search for events where the
uri_queryorform_datafields contain<script>,onload=, orjavascript:. - Microsoft Sentinel: Use the
Dynamics365Activitytable (if integrated) to hunt forOperationvalues indicating unusual resource access or field modifications. - Generic SQL: Query the Dynamics database’s
StringMapBaseorNoteBasetables for recently inserted rows containing HTML tags or base64 content.
If any evidence of exploitation is found, isolate the affected Dynamics servers immediately and preserve forensic artifacts (IIS logs, SQL transaction logs, memory dumps where feasible). Rotate all service account credentials, API keys, and session tokens that may have been exposed, and treat the incident as an active breach.
Patching Strategy: How to Deploy the Fix Safely
The MSRC advisory for CVE‑2025‑53728 provides the specific cumulative update (CU) or security‑only patch that contains the fix. Follow these steps to ensure a smooth, risk‑controlled deployment:
1. Inventory your environment – Document the exact build numbers of every Dynamics 365 on‑prem front‑end and back‑end server. Compare them with the “Affected products” table in the MSRC update guide.
2. Obtain the correct update – Download the patch from the Microsoft Update Catalog or through your normal channel. The advisory page will list the KB article number; record it for your change management ticket.
3. Test in a staging environment – Apply the update to a replica that mirrors your production customizations, plugins, and third‑party integrations. Dynamics cumulative updates have occasionally altered behavior in older customizations, so regression testing is mandatory.
4. Back up everything – Take full backups of the Dynamics databases, application server configurations, and IIS settings before touching production. Have a documented rollback plan.
5. Deploy during a maintenance window – Apply the patch to all nodes. After installation, validate the fix by attempting the known‑vulnerable record‑view patterns in a controlled manner.
6. Rotate credentials post‑patch – If there is any suspicion that exploitation occurred prior to patching, rotate all credentials and API tokens associated with Dynamics integrations. Also rotate ASP.NET machine keys and restart IIS.
The Broader Threat Landscape: Why This Patch Can’t Wait
CVE‑2025‑53728 arrives during an intense period of active exploitation against Microsoft on‑premises products. In July 2025, the Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft jointly disclosed that threat actors were chaining multiple SharePoint vulnerabilities—CVE‑2025‑49706, CVE‑2025‑49704, CVE‑2025‑53770, and CVE‑2025‑53771—to obtain unauthenticated remote code execution, deploy webshells, and eventually drop ransomware such as Warlock. These attacks, collectively dubbed “ToolShell,” exploited flaws that had only just been patched, and they progressed from proof‑of‑concept to in‑the‑wild ransomware deployment within days.
Dynamics 365 on‑premises is built on similar technology stacks (IIS, .NET, SQL Server) and often coexists with SharePoint in the same network segments. Attackers who compromise one on‑prem Microsoft application quickly pivot to others. The CISA alert explicitly reminds organizations that end‑of‑life products should be disconnected, and that network segmentation, aggressive patch management, and real‑time log monitoring are non‑negotiable. The existence of CVE‑2025‑53728—an information disclosure bug that might initially appear less severe than an RCE—should not lull anyone into complacency. Leaked internal data can fuel devastating business email compromise (BEC), supply chain attacks, or further ransomware campaigns.
Action Plan for IT and Security Teams
- Patch immediately: Assign a severity of “High” or “Critical” based on the data your Dynamics instance holds. If the system stores PII, trade secrets, or authentication material, treat the patch as an emergency change.
- Conduct a threat hunt now: Use the detection indicators above to look for signs of exploitation over the past 30 days. Even if you find nothing, repeat the hunt daily for the next week.
- Harden the environment: Disable public access, enforce MFA, and place the Dynamics servers behind a WAF. Apply the principle of least privilege and remove any unused web resources or custom pages.
- Educate developers: Review all custom plugins, web resources, and form scripts for unsafe uses of user input. Mandate output encoding and adopt the OWASP XSS Prevention Cheat Sheet as a coding standard.
- Monitor for updates: Keep an eye on the MSRC advisory page for any revisions to affected versions or remediation guidance. The situation may evolve if new proof‑of‑concept code surfaces.
CVE‑2025‑53728 is a stark reminder that even “information disclosure” bugs can have serious consequences when they touch the business‑critical data inside a CRM. The patch is available now, and every hour of delay gives attackers more opportunity to map your network and exfiltrate sensitive records. Apply the update, verify it, and harden your posture—before the criminals come knocking.