Cyber Resilience

CVE-2025-29807

HighRCE

Published: 21 March 2025

Published
21 March 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0105 77.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29807 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Dataverse. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Microsoft Dataverse contains a deserialization of untrusted data vulnerability, identified as CVE-2025-29807, that permits improper handling of serialized input. The flaw is associated with CWE-94 and CWE-502 and received a CVSS 3.1 score of 8.7 reflecting network attack vector, low complexity, low privileges, required user interaction, and scope change with high impact on confidentiality and integrity.

An authorized attacker can exploit the weakness over a network to achieve remote code execution by supplying malicious serialized payloads that the affected component processes without sufficient validation.

Microsoft has published an advisory for CVE-2025-29807 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29807 that addresses mitigation steps. The EPSS score reached a peak of 0.0178 before settling at the current value of 0.0105.

EU & UK References

Vulnerability details

Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The deserialization vulnerability in Microsoft Dataverse allows a low-privileged authenticated attacker to achieve remote code execution (CWE-94/502), directly mapping to exploitation for privilege escalation from low to high impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24053Same product: Microsoft Dataverse
CVE-2026-32192Same vendor: Microsoft
CVE-2026-32184Same vendor: Microsoft
CVE-2025-21292Same vendor: Microsoft
CVE-2026-25166Same vendor: Microsoft
CVE-2026-21231Same vendor: Microsoft
CVE-2026-32091Same vendor: Microsoft
CVE-2026-25174Same vendor: Microsoft
CVE-2026-42823Same vendor: Microsoft
CVE-2025-59247Same vendor: Microsoft

Affected Assets

microsoft
dataverse
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the deserialization vulnerability by requiring timely flaw remediation through patching as detailed in the MSRC advisory for CVE-2025-29807.

prevent

Prevents exploitation of untrusted data deserialization in Microsoft Dataverse by enforcing validation of all inputs prior to processing.

prevent

Mitigates remote code execution resulting from the deserialization flaw via memory protections such as non-executable memory and address space randomization.

References