CVE-2025-58112

Name of the Vulnerable Software and Affected Versions Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (9.0.2.3034)

Description The software allows the generation of customized reports using raw SQL queries within an uploaded .rdl (Report Definition Language) file, which is then processed by the SQL Server Reporting Service. An account with the Add Reporting Services Reports privilege can upload a malicious .rdl file. If the malicious .rdl file is already loaded and executable by the user, the Add Reporting Services Reports privilege is not required. A malicious actor can trigger report generation, leading to the execution of arbitrary SQL commands in the underlying database. Depending on the permissions of the account running SQL Server Reporting Services, an attacker may be able to perform additional actions, such as accessing linked servers or executing operating system commands. The API endpoint involved is the report generation service that processes the uploaded .rdl file. The vulnerable parameter is the content of the .rdl file itself, which contains the raw SQL queries.

Recommendations For Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (9.0.2.3034), restrict access to the report generation service and carefully validate all uploaded .rdl files to prevent the injection of malicious SQL code. As a temporary workaround, consider disabling the ability to upload custom .rdl files until a more permanent solution is available.