Cyber Resilience

CVE-2025-32711

Critical

Published: 11 June 2025

Published
11 June 2025
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.1940 95.5th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32711 is a critical-severity Injection (CWE-74) vulnerability in Microsoft 365 Copilot. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: LLM Prompt Injection (AML.T0051).

Deeper analysis

CVE-2025-32711 is an AI command injection vulnerability in Microsoft 365 Copilot that is tracked under CWE-74. The flaw permits unauthorized information disclosure across a network and carries a CVSS 3.1 score of 9.3, reflecting network attack vector, low attack complexity, no required privileges or user interaction, and changed scope with high confidentiality impact.

An unauthenticated attacker can send crafted inputs over the network to trigger the command injection and obtain sensitive data from the affected M365 Copilot deployment. The published EPSS score of 0.1940 indicates moderate exploitation probability with no material rise observed after disclosure.

Microsoft has published an advisory at the Microsoft Security Response Center that addresses the issue, and additional technical analysis is available from AIM Security. The vulnerability’s occurrence in an AI-driven productivity service underscores risks specific to command handling within large language model integrations.

EU & UK References

Vulnerability details

Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
LLM01:2025 Prompt Injection
Classification Reason
Matched keywords: ai, m365 copilot

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

AI command injection in M365 Copilot enables unauthorized remote exploitation of a public-facing cloud application to disclose information over the network.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0051: LLM Prompt Injection

Affected Assets

microsoft
365 copilot
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References