Skip to main content

CVE-2024-21380: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Microsoft Microsoft Dynamics 365 Business Central 2022 Release Wave 2

High
VulnerabilityCVE-2024-21380cvecve-2024-21380cwe-200
Published: Tue Feb 13 2024 (02/13/2024, 18:02:43 UTC)
Source: CVE
Vendor/Project: Microsoft
Product: Microsoft Dynamics 365 Business Central 2022 Release Wave 2

Description

Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability

AI-Powered Analysis

AILast updated: 06/26/2025, 08:07:16 UTC

Technical Analysis

CVE-2024-21380 is a high-severity vulnerability classified under CWE-200, indicating an exposure of sensitive information to unauthorized actors. This vulnerability affects Microsoft Dynamics 365 Business Central 2022 Release Wave 2, specifically version 21.0.0. The flaw allows an attacker with low privileges and requiring user interaction to exploit the vulnerability remotely over the network, but with a high attack complexity. The vulnerability results in a complete compromise of confidentiality, integrity, and availability (C, I, A all rated high), and the scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) indicates that the attack requires network access, low privileges, and user interaction, with high complexity, but can lead to full system impact. The vulnerability is an information disclosure flaw in Microsoft Dynamics 365 Business Central, a widely used enterprise resource planning (ERP) solution designed for small and medium-sized businesses to manage finance, operations, sales, and customer service. The exposure of sensitive information could include business-critical data such as financial records, customer data, or operational details, which could be leveraged for further attacks or cause significant business disruption. No known exploits are currently reported in the wild, and no official patches have been linked yet, although the vulnerability has been publicly disclosed since February 2024. Given the critical nature of the data handled by Dynamics 365 Business Central, this vulnerability poses a significant risk to organizations relying on this platform, especially if attackers can trick users into interaction to trigger the exploit.

Potential Impact

For European organizations, the impact of CVE-2024-21380 could be substantial. The exposure of sensitive business information can lead to financial losses, regulatory penalties under GDPR due to data breaches, and reputational damage. Since Dynamics 365 Business Central is used across various sectors including finance, manufacturing, retail, and public services, the compromise of data confidentiality and integrity could disrupt business operations and supply chains. The high severity and scope change imply that attackers might escalate the impact beyond initial access, potentially affecting multiple systems integrated with Dynamics 365. European companies with complex ERP integrations may face cascading effects. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability, increasing the risk of targeted attacks against European enterprises. The lack of known exploits currently provides a window for mitigation, but the public disclosure increases the risk of future exploitation attempts.

Mitigation Recommendations

Organizations should prioritize the following mitigation steps: 1) Monitor for official Microsoft security advisories and apply patches immediately once available. 2) Implement strict access controls and minimize user privileges within Dynamics 365 Business Central to reduce the attack surface. 3) Educate users about phishing and social engineering risks to prevent the user interaction component of the exploit. 4) Employ network segmentation to isolate ERP systems from general user networks and limit exposure to external networks. 5) Enable and review detailed logging and monitoring on Dynamics 365 Business Central to detect unusual access patterns or data exfiltration attempts. 6) Consider deploying Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with rules tailored to Dynamics 365 traffic to block suspicious activities. 7) Conduct regular security assessments and penetration testing focused on ERP systems to identify and remediate potential weaknesses proactively.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
microsoft
Date Reserved
2023-12-08T22:45:20.452Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9836c4522896dcbeabad

Added to database: 5/21/2025, 9:09:10 AM

Last enriched: 6/26/2025, 8:07:16 AM

Last updated: 8/17/2025, 9:23:53 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats