CVE-2024-21380: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Microsoft Microsoft Dynamics 365 Business Central 2022 Release Wave 2
Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
AI Analysis
Technical Summary
CVE-2024-21380 is a high-severity vulnerability classified under CWE-200, indicating an exposure of sensitive information to unauthorized actors. This vulnerability affects Microsoft Dynamics 365 Business Central 2022 Release Wave 2, specifically version 21.0.0. The flaw allows an attacker with low privileges and requiring user interaction to exploit the vulnerability remotely over the network, but with a high attack complexity. The vulnerability results in a complete compromise of confidentiality, integrity, and availability (C, I, A all rated high), and the scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) indicates that the attack requires network access, low privileges, and user interaction, with high complexity, but can lead to full system impact. The vulnerability is an information disclosure flaw in Microsoft Dynamics 365 Business Central, a widely used enterprise resource planning (ERP) solution designed for small and medium-sized businesses to manage finance, operations, sales, and customer service. The exposure of sensitive information could include business-critical data such as financial records, customer data, or operational details, which could be leveraged for further attacks or cause significant business disruption. No known exploits are currently reported in the wild, and no official patches have been linked yet, although the vulnerability has been publicly disclosed since February 2024. Given the critical nature of the data handled by Dynamics 365 Business Central, this vulnerability poses a significant risk to organizations relying on this platform, especially if attackers can trick users into interaction to trigger the exploit.
Potential Impact
For European organizations, the impact of CVE-2024-21380 could be substantial. The exposure of sensitive business information can lead to financial losses, regulatory penalties under GDPR due to data breaches, and reputational damage. Since Dynamics 365 Business Central is used across various sectors including finance, manufacturing, retail, and public services, the compromise of data confidentiality and integrity could disrupt business operations and supply chains. The high severity and scope change imply that attackers might escalate the impact beyond initial access, potentially affecting multiple systems integrated with Dynamics 365. European companies with complex ERP integrations may face cascading effects. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability, increasing the risk of targeted attacks against European enterprises. The lack of known exploits currently provides a window for mitigation, but the public disclosure increases the risk of future exploitation attempts.
Mitigation Recommendations
Organizations should prioritize the following mitigation steps: 1) Monitor for official Microsoft security advisories and apply patches immediately once available. 2) Implement strict access controls and minimize user privileges within Dynamics 365 Business Central to reduce the attack surface. 3) Educate users about phishing and social engineering risks to prevent the user interaction component of the exploit. 4) Employ network segmentation to isolate ERP systems from general user networks and limit exposure to external networks. 5) Enable and review detailed logging and monitoring on Dynamics 365 Business Central to detect unusual access patterns or data exfiltration attempts. 6) Consider deploying Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with rules tailored to Dynamics 365 traffic to block suspicious activities. 7) Conduct regular security assessments and penetration testing focused on ERP systems to identify and remediate potential weaknesses proactively.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Ireland
CVE-2024-21380: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Microsoft Microsoft Dynamics 365 Business Central 2022 Release Wave 2
Description
Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
AI-Powered Analysis
Technical Analysis
CVE-2024-21380 is a high-severity vulnerability classified under CWE-200, indicating an exposure of sensitive information to unauthorized actors. This vulnerability affects Microsoft Dynamics 365 Business Central 2022 Release Wave 2, specifically version 21.0.0. The flaw allows an attacker with low privileges and requiring user interaction to exploit the vulnerability remotely over the network, but with a high attack complexity. The vulnerability results in a complete compromise of confidentiality, integrity, and availability (C, I, A all rated high), and the scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) indicates that the attack requires network access, low privileges, and user interaction, with high complexity, but can lead to full system impact. The vulnerability is an information disclosure flaw in Microsoft Dynamics 365 Business Central, a widely used enterprise resource planning (ERP) solution designed for small and medium-sized businesses to manage finance, operations, sales, and customer service. The exposure of sensitive information could include business-critical data such as financial records, customer data, or operational details, which could be leveraged for further attacks or cause significant business disruption. No known exploits are currently reported in the wild, and no official patches have been linked yet, although the vulnerability has been publicly disclosed since February 2024. Given the critical nature of the data handled by Dynamics 365 Business Central, this vulnerability poses a significant risk to organizations relying on this platform, especially if attackers can trick users into interaction to trigger the exploit.
Potential Impact
For European organizations, the impact of CVE-2024-21380 could be substantial. The exposure of sensitive business information can lead to financial losses, regulatory penalties under GDPR due to data breaches, and reputational damage. Since Dynamics 365 Business Central is used across various sectors including finance, manufacturing, retail, and public services, the compromise of data confidentiality and integrity could disrupt business operations and supply chains. The high severity and scope change imply that attackers might escalate the impact beyond initial access, potentially affecting multiple systems integrated with Dynamics 365. European companies with complex ERP integrations may face cascading effects. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability, increasing the risk of targeted attacks against European enterprises. The lack of known exploits currently provides a window for mitigation, but the public disclosure increases the risk of future exploitation attempts.
Mitigation Recommendations
Organizations should prioritize the following mitigation steps: 1) Monitor for official Microsoft security advisories and apply patches immediately once available. 2) Implement strict access controls and minimize user privileges within Dynamics 365 Business Central to reduce the attack surface. 3) Educate users about phishing and social engineering risks to prevent the user interaction component of the exploit. 4) Employ network segmentation to isolate ERP systems from general user networks and limit exposure to external networks. 5) Enable and review detailed logging and monitoring on Dynamics 365 Business Central to detect unusual access patterns or data exfiltration attempts. 6) Consider deploying Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with rules tailored to Dynamics 365 traffic to block suspicious activities. 7) Conduct regular security assessments and penetration testing focused on ERP systems to identify and remediate potential weaknesses proactively.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- microsoft
- Date Reserved
- 2023-12-08T22:45:20.452Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9836c4522896dcbeabad
Added to database: 5/21/2025, 9:09:10 AM
Last enriched: 6/26/2025, 8:07:16 AM
Last updated: 8/17/2025, 9:23:53 AM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.