CVE-2025-32711
Published: 11 June 2025
Summary
CVE-2025-32711 is a critical-severity Injection (CWE-74) vulnerability in Microsoft 365 Copilot. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: LLM Prompt Injection (AML.T0051).
Deeper analysis
CVE-2025-32711 is an AI command injection vulnerability in Microsoft 365 Copilot that is tracked under CWE-74. The flaw permits unauthorized information disclosure across a network and carries a CVSS 3.1 score of 9.3, reflecting network attack vector, low attack complexity, no required privileges or user interaction, and changed scope with high confidentiality impact.
An unauthenticated attacker can send crafted inputs over the network to trigger the command injection and obtain sensitive data from the affected M365 Copilot deployment. The published EPSS score of 0.1940 indicates moderate exploitation probability with no material rise observed after disclosure.
Microsoft has published an advisory at the Microsoft Security Response Center that addresses the issue, and additional technical analysis is available from AIM Security. The vulnerability’s occurrence in an AI-driven productivity service underscores risks specific to command handling within large language model integrations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18114
Vulnerability details
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- Classification Reason
- Matched keywords: ai, m365 copilot
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
AI command injection in M365 Copilot enables unauthorized remote exploitation of a public-facing cloud application to disclose information over the network.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.