Login Sign Up

CVE-2022-21957

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Microsoft Dynamics 365 On-Premises servers. Attackers can exploit this without authentication to gain full control of affected systems. Organizations running vulnerable versions of Dynamics 365 On-Premises are affected.

💻 Affected Systems

Products:
  • Microsoft Dynamics 365 On-Premises
Versions: Specific versions not publicly detailed in advisory; all unpatched versions are vulnerable
Operating Systems: Windows Server (as required by Dynamics 365 On-Premises)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects on-premises deployments, not Dynamics 365 Online/SaaS versions.

📦 What is this software?

Dynamics 365 by Microsoft

View all CVEs affecting Dynamics 365 →

Dynamics 365 by Microsoft

View all CVEs affecting Dynamics 365 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attackers gain initial foothold in the network, deploy ransomware or data exfiltration tools, and potentially compromise the entire Dynamics environment.

🟢

If Mitigated

Attack is blocked at network perimeter or detected early, limiting impact to isolated system requiring restoration from backups.

🌐 Internet-Facing: HIGH - Remote code execution vulnerabilities in internet-facing business applications are prime targets for attackers.
🏢 Internal Only: MEDIUM - Still significant risk from insider threats or attackers who have breached perimeter defenses.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Microsoft typically doesn't disclose exploit details until patches are widely deployed. Remote code execution vulnerabilities often have public exploits developed after disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the January 2022 security update for Dynamics 365

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21957

Restart Required: Yes

Instructions:

1. Download the January 2022 security update from Microsoft Update Catalog. 2. Apply the update to all Dynamics 365 On-Premises servers. 3. Restart affected services or servers as required. 4. Test application functionality after patching.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Dynamics 365 servers to only trusted sources

Web Application Firewall Rules

all

Implement WAF rules to block suspicious requests to Dynamics endpoints

🧯 If You Can't Patch

  • Isolate Dynamics servers in separate network segments with strict firewall rules
  • Implement additional authentication layers and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Dynamics 365 version and verify if January 2022 security update is installed

Check Version:

Check Dynamics 365 version through administration console or PowerShell: Get-Command -Module Microsoft.Dynamics*

Verify Fix Applied:

Confirm the security update is applied and version matches patched release

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from web service accounts
  • Suspicious PowerShell or command execution events
  • Failed authentication attempts followed by successful exploitation

Network Indicators:

  • Unusual outbound connections from Dynamics servers
  • Traffic patterns indicating command and control activity
  • Exploit-specific payloads in HTTP requests

SIEM Query:

source="dynamics_logs" AND (process_creation="powershell.exe" OR process_creation="cmd.exe") AND user="web_service_account"

📊 Metadata

CVE ID: CVE-2022-21957
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: February 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON