CVE-2025-55238
Published: 04 September 2025
Summary
CVE-2025-55238 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Dynamics 365. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-55238 is an information disclosure vulnerability affecting Dynamics 365 FastTrack Implementation Assets. It carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no requirements for authentication or user interaction, resulting in high impact to confidentiality while leaving integrity and availability unaffected. The weakness is categorized under CWE-284.
An unauthenticated remote attacker can exploit the flaw to access sensitive implementation assets that should otherwise remain restricted. Successful exploitation yields disclosure of confidential data without the need for elevated privileges or user assistance.
Microsoft's advisory at the MSRC update guide details the vulnerability and any associated remediation steps for affected Dynamics 365 deployments. The EPSS score remains low and unchanged at 0.0131, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26869
Vulnerability details
Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Requiring prior authorization for each remote access type prevents improper access control over remote connections.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.