Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-42898 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-42898 | CVSS 9.9 (Critical) | Exploit: PoC available

What Is It

CVE-2026-42898 is a code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authenticated attacker to execute arbitrary code remotely over a network.

Technical Detail

The flaw stems from improper control of code generation within the on-premises deployment of Microsoft Dynamics 365, a class of vulnerability where user-supplied or attacker-controlled input is processed in a way that allows injected code to be interpreted and executed by the application. An authorized attacker with network access can craft malicious input to trigger code execution on the target system, achieving remote code execution (RCE) without requiring elevated privileges beyond initial authenticated access. With a CVSS score of 9.9, the vulnerability is rated Critical, reflecting the high impact to confidentiality, integrity, and availability of the affected system and potentially the broader network environment it operates within.

Exploitation Status

A proof-of-concept (PoC) exploit is publicly available as of this writing. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation in the wild has not been formally confirmed by CISA. However, the existence of a public PoC significantly lowers the barrier for exploitation and increases the likelihood of active abuse in the near term.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No campaigns, targeted sectors, or adversary groups have been formally linked to exploitation of this vulnerability. Organizations running Microsoft Dynamics 365 on-premises should treat the public PoC as a meaningful escalation in risk regardless of the absence of confirmed attribution.

What To Do

Apply any available Microsoft security update addressing CVE-2026-42898 immediately, prioritizing internet-facing or internally exposed Dynamics 365 on-premises deployments. If a patch is not yet available or cannot be applied immediately, restrict network access to the Dynamics 365 application to only authorized users and systems, enforce strong authentication controls, and monitor application and network logs for anomalous code execution activity or unexpected outbound connections originating from the Dynamics 365 server. Review Microsoft's official security advisory for patch availability and any vendor-recommended workarounds. Given the Critical CVSS rating and public PoC availability, this should be treated as a high-priority remediation item regardless of current KEV status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →