CVE-2025-29807
Published: 21 March 2025
Summary
CVE-2025-29807 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Dataverse. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Microsoft Dataverse contains a deserialization of untrusted data vulnerability, identified as CVE-2025-29807, that permits improper handling of serialized input. The flaw is associated with CWE-94 and CWE-502 and received a CVSS 3.1 score of 8.7 reflecting network attack vector, low complexity, low privileges, required user interaction, and scope change with high impact on confidentiality and integrity.
An authorized attacker can exploit the weakness over a network to achieve remote code execution by supplying malicious serialized payloads that the affected component processes without sufficient validation.
Microsoft has published an advisory for CVE-2025-29807 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29807 that addresses mitigation steps. The EPSS score reached a peak of 0.0178 before settling at the current value of 0.0105.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7179
Vulnerability details
Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The deserialization vulnerability in Microsoft Dataverse allows a low-privileged authenticated attacker to achieve remote code execution (CWE-94/502), directly mapping to exploitation for privilege escalation from low to high impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the deserialization vulnerability by requiring timely flaw remediation through patching as detailed in the MSRC advisory for CVE-2025-29807.
Prevents exploitation of untrusted data deserialization in Microsoft Dataverse by enforcing validation of all inputs prior to processing.
Mitigates remote code execution resulting from the deserialization flaw via memory protections such as non-executable memory and address space randomization.