Cyber Posture

CVE-2025-64655

High

Published: 20 November 2025

Published
20 November 2025
Modified
10 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0008 24.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64655 is a high-severity Improper Authorization (CWE-285) vulnerability in Microsoft Dynamics Omnichannel Sdk Storage Containers. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly mitigating the improper authorization flaw enabling privilege elevation in storage containers.

AC-24 Access Control Decisions good match
prevent

Requires access control decisions based on explicit authorizations, addressing the flawed authorization mechanisms that allow unauthorized privilege escalation.

AC-6 Least Privilege partial match
prevent

Limits privileges to the minimum necessary, reducing the impact of successful privilege elevation via the authorization vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE enables remote unauthorized privilege escalation through improper authorization in a network-accessible service, directly facilitating T1068 (Exploitation for Privilege Escalation) and T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network.

Deeper analysisAI

CVE-2025-64655 is an improper authorization vulnerability (CWE-285) in the Dynamics OmniChannel SDK Storage Containers. Published on 2025-11-20T23:15:56.750, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue stems from flawed authorization mechanisms that enable unauthorized privilege elevation over a network.

An unauthorized attacker can exploit this vulnerability remotely with low complexity and no required privileges, though user interaction is necessary. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, specifically by elevating privileges within the affected storage containers.

Security practitioners should consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64655 for details on patches, workarounds, and mitigation guidance.

Details

CWE(s)
CWE-285

Affected Products

microsoft
dynamics omnichannel sdk storage containers
all versions

CVEs Like This One

CVE-2025-53792Same vendor: Microsoft
CVE-2026-24305Same vendor: Microsoft
CVE-2025-26683Same vendor: Microsoft
CVE-2026-33105Same vendor: Microsoft
CVE-2025-53795Same vendor: Microsoft
CVE-2025-21275Same vendor: Microsoft
CVE-2025-49701Same vendor: Microsoft
CVE-2025-21348Same vendor: Microsoft
CVE-2025-24053Same vendor: Microsoft
CVE-2026-27912Same vendor: Microsoft

References