CVE-2022-21891 – CVE-2022-21891 is a spoofing vulnerability in M... (How to Fix)

Q: What is the severity of CVE-2022-21891?

CVE-2022-21891 has a CVSS score of 7.6 (HIGH). CVE-2022-21891 is a spoofing vulnerability in Microsoft Dynamics 365 (on-premises) that allows an attacker to trick users into interacting with malicious content disguised as legitimate. This affects organizations running vulnerable on-premises Dynamics 365 deployments. Attackers could exploit this to perform phishing attacks or redirect users to malicious sites.

📋 TL;DR

CVE-2022-21891 is a spoofing vulnerability in Microsoft Dynamics 365 (on-premises) that allows an attacker to trick users into interacting with malicious content disguised as legitimate. This affects organizations running vulnerable on-premises Dynamics 365 deployments. Attackers could exploit this to perform phishing attacks or redirect users to malicious sites.

💻 Affected Systems

Products:

Microsoft Dynamics 365 (on-premises)

Versions: Specific versions not publicly detailed in advisory; all vulnerable on-premises versions prior to patching

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects on-premises deployments; Dynamics 365 Online/cloud versions are not affected.

📦 What is this software?

Dynamics 365 Sales by Microsoft

View all CVEs affecting Dynamics 365 Sales →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could redirect users to malicious websites, steal credentials via phishing, or perform session hijacking by spoofing legitimate Dynamics 365 interfaces.

🟠

Likely Case

Phishing attacks where users are tricked into entering credentials on spoofed login pages or redirected to malicious sites.

🟢

If Mitigated

Limited impact with proper user awareness training, network segmentation, and monitoring for suspicious redirects.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (e.g., clicking a link) and some level of access to trick users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the security update from Microsoft's January 2022 Patch Tuesday or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21891

Restart Required: Yes

Instructions:

1. Download the security update from Microsoft Update Catalog. 2. Apply the update to all affected Dynamics 365 on-premises servers. 3. Restart servers as required. 4. Test functionality post-patch.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Dynamics 365 servers to trusted networks only

User Awareness Training

all

Educate users about phishing risks and verifying URLs

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor for suspicious redirects or unusual authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check if Dynamics 365 on-premises version is unpatched for January 2022 updates

Check Version:

Check Dynamics 365 version through administrative interfaces or server documentation

Verify Fix Applied:

Verify the security update is installed via Windows Update history or server patch management tools

📡 Detection & Monitoring

Log Indicators:

Unusual redirect patterns in web server logs
Failed authentication attempts from spoofed pages

Network Indicators:

Unexpected external redirects from Dynamics 365 servers

SIEM Query:

search for web logs with status 302/301 redirects to unfamiliar domains from Dynamics servers

📊 Metadata

CVE ID: CVE-2022-21891

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Published: January 11, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON