Login Sign Up

CVE-2020-16860

6.8 MEDIUM
Remote Code Execution

📋 TL;DR

This is a remote code execution vulnerability in Microsoft Dynamics 365 (on-premises) where improper input sanitization allows authenticated attackers to execute arbitrary code. The vulnerability affects SQL service account contexts, potentially compromising the entire Dynamics server and associated databases. Only on-premises deployments of Microsoft Dynamics 365 are affected.

💻 Affected Systems

Products:
  • Microsoft Dynamics 365 (on-premises)
Versions: Specific versions not detailed in advisory; check Microsoft advisory for exact affected versions
Operating Systems: Windows Server (as required by Dynamics 365 on-premises)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects on-premises deployments; Dynamics 365 Online/cloud versions are not affected. Requires authenticated access to exploit.

📦 What is this software?

Dynamics 365 by Microsoft

View all CVEs affecting Dynamics 365 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Dynamics server and associated SQL databases, allowing data theft, destruction, or ransomware deployment across the entire Dynamics environment.

🟠

Likely Case

Attacker gains SQL service account privileges, enabling data exfiltration, privilege escalation, and lateral movement within the network.

🟢

If Mitigated

Limited impact due to network segmentation, minimal SQL service account privileges, and proper input validation controls.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access and specially crafted web requests. No public exploit code was mentioned in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific patch versions

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16860

Restart Required: Yes

Instructions:

1. Apply the latest security update from Microsoft for Dynamics 365 (on-premises). 2. Restart the Dynamics server and any dependent services. 3. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Dynamics servers to only authorized users and systems using firewall rules.

Least Privilege for SQL Service Account

windows

Reduce SQL service account privileges to minimum required for Dynamics operations.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization at the application layer
  • Monitor for unusual SQL service account activity and failed authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Dynamics 365 version against Microsoft's security advisory; vulnerable if running an affected on-premises version without the patch.

Check Version:

Check Dynamics 365 version in application settings or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Dynamics*'}

Verify Fix Applied:

Verify patch installation through Windows Update history or Dynamics version check; ensure version matches patched release.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL service account activity
  • Failed authentication attempts followed by successful ones
  • Suspicious web requests to Dynamics endpoints

Network Indicators:

  • Unusual outbound connections from Dynamics server
  • SQL traffic from unexpected sources

SIEM Query:

source="dynamics_server" AND (event_id=4625 OR event_id=4688) AND user="SQLServiceAccount"

📊 Metadata

CVE ID: CVE-2020-16860
CVSS v3 Score: 6.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: September 11, 2020
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON