CVE-2024-35260
Published: 27 June 2024
Summary
CVE-2024-35260 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Microsoft Power Platform. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An untrusted search path vulnerability tracked as CVE-2024-35260 affects Microsoft Dataverse. The flaw, assigned CWE-426, permits an attacker to influence executable search paths and was disclosed on 27 June 2024 with a CVSS 3.1 base score of 8.0 reflecting network attack vector, high complexity, high privileges required, no user interaction, and changed scope with high impact on confidentiality, integrity, and availability.
An authenticated attacker with high privileges can exploit the issue remotely over a network to achieve arbitrary code execution. The attack requires the attacker to already possess valid credentials and to arrange malicious components in a location that the Dataverse process will load, resulting in full compromise of the affected service instance.
Microsoft has published official guidance and remediation details in its Security Response Center update guide for this vulnerability. The current and peak EPSS scores remain at 0.0686 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-35765
Vulnerability details
An authenticated attacker can exploit an untrusted search path vulnerability in Microsoft Dataverse to execute code over a network.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.