Issuing CNA: Microsoft

Missing synchronization in Windows Hyper-V allows an authorized attacker to deny service over an adjacent network.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this case, a successful attack could be performed from a low privilege Hyper-V guest. The attacker could traverse the guest's security boundary to cause denial of service on the Hyper-V host environment.

According to the CVSS metric, the Hyper-V attack vector is adjacent (AV:A). What does that mean for this vulnerability?

Where the attack vector metric is Adjacent (A), this represents virtual machines connected via a Hyper-V Network Virtualization (HNV) logical network. This configuration forms an isolation boundary where the virtual machines within the virtual network can only communicate with each other. In this attack vector, the vulnerable component is bound to the network stack, but the attack is limited to systems configured to use the HNV network.

Information published.

Issuing CNA: Microsoft

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to perform spoofing over a network.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:L), some loss of integrity (I:L) but have no effect on availability (A:N). What is the impact of this vulnerability?

An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would have to click on a specially crafted URL to be compromised by the attacker.

Information published.

Issuing CNA: Microsoft

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

How could an attacker exploit this vulnerability?

An authenticated attacker with explicit permissions could exploit the vulnerability by logging in to the SQL server and could then elevate their privileges to sysadmin.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.

I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

• First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
• Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

• GDR updates – cumulatively only contain security updates for the given baseline.
• CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

• If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
• If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
• If SQL Server installation has intentionally installed previous CU updates, then chose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.

Information published.

Issuing CNA: Microsoft

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

How could an attacker exploit the vulnerability?

An attacker could inject arbitrary T-SQL commands by crafting a malicious database name.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain sysadmin privileges.

I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

• First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
• Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

• GDR updates – cumulatively only contain security updates for the given baseline.
• CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

• If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
• If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
• If SQL Server installation has intentionally installed previous CU updates, then chose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.

Information published.

Issuing CNA: Microsoft

Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.

Issuing CNA: Microsoft

Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network.

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is whether an email address exists on the server or not.

Information published.

Issuing CNA: Microsoft

Use after free in Microsoft Office Visio allows an unauthorized attacker to execute code locally.

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

A user would need to be tricked into opening a malicious file in Visio.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.

Information published.

Issuing CNA: Microsoft

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send the user a malicious file and convince them to open it.

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.

Information published.

Issuing CNA: Microsoft

Use of uninitialized resource in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send the user a malicious file and convince them to open it.

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.

Information published.

Issuing CNA: Microsoft

Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to a high loss of confidentiality (C:H), and some loss of integrity (I:L) and no loss of availability (A:N). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could view sensitive information, a token in this scenario (Confidentiality), and make some changes to disclosed information (Integrity), but they would not be able to affect Availability.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain the privileges of the compromised user.

I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running?

Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability.

Information published.

Issuing CNA: Microsoft

Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

An attacker must send the user a malicious file and convince them to open it.

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.

Information published.

Issuing CNA: Microsoft

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

How could an attacker exploit this vulnerability?

An authenticated attacker with explicit permissions could exploit the vulnerability by logging in to the SQL server and could then elevate their privileges to sysadmin.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain sysadmin privileges.

I am running SQL Server on my system. What action do I need to take?

Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates.

There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

• First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
• Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.

What are the GDR and CU update designations and how do they differ?

The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

• GDR updates – cumulatively only contain security updates for the given baseline.
• CU updates – cumulatively contain all functional fixes and security updates for the given baseline.

For any given baseline, either the GDR or CU updates could be options (see below).

• If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
• If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
• If SQL Server installation has intentionally installed previous CU updates, then chose to install the CU security update package.

Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)?

Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.

Information published.

Issuing CNA: Microsoft

Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.

How could an attacker exploit the vulnerability?

An authenticated attacker could exploit the vulnerability by sending a malicious http request to the web server.

Information published.

Issuing CNA: Microsoft

Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code locally.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of this vulnerability requires that a user trigger the payload in the application.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.

Information published.

Issuing CNA: Microsoft

Exposure of sensitive information to an unauthorized actor in Azure Virtual Machines allows an authorized attacker to disclose information over a network.

Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.

Information published.

Issuing CNA: Microsoft

On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment.

What privileges could be gained by an attacker who successfully exploited the vulnerability within the organization’s cloud environment?

In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace. This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.

According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this scenario, successfully exploiting the vulnerability could enable an attacker to escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to first gain or possess administrator access on an Exchange Server.

Microsoft Exchange Server Subscription Edition RTM didn't exist in April when the hot fix was released. Why is it listed in the Security Updates Table?

Support for the dedicated Exchange hybrid app feature is already part of the initial release of the Exchange Server SE version. If you have already migrated to the newest version you already have this level of protection from the vulnerability. All you need to do is to follow the steps as outlined in the documentation to enable the feature and clear the certificates from the shared service principals keyCredentials.

What steps do I need to take to better protect my hybrid environment?

1. If you're using Exchange hybrid, install the Hot Fix (or newer release) on your on-premises Exchange servers and follow the configuration instructions outlined in Deploy dedicated Exchange hybrid app. For additional details, refer to Exchange Server Security Changes for Hybrid Deployments. After completing the steps, be sure to reset the service principal's keyCredentials.

2. If you’ve previously configured Exchange hybrid or OAuth authentication between Exchange Server and your Exchange Online organization but no longer use it, make sure to reset the service principal's keyCredentials.

Information published.

Issuing CNA: Chrome

Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

What is the version information for this release?

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

Information published.

Issuing CNA: Chrome

Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

What is the version information for this release?

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

Information published.

Issuing CNA: Chrome

Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

What is the version information for this release?

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

Information published.

Issuing CNA: Chrome

Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

What is the version information for this release?

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

Information published.

Issuing CNA: Chrome

Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

What is the version information for this release?

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

Information published.