CVE-2025-49745 is a cross-site scripting (XSS) vulnerability classified under CWE-79 that affects Microsoft Dynamics 365 (on-premises) version 9.1, including affected versions starting from 9.0. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows an attacker to inject malicious scripts into web pages viewed by other users. This flaw enables unauthorized attackers to perform spoofing attacks over a network, potentially tricking users into executing malicious actions or disclosing sensitive information. The vulnerability does not require any privileges or authentication to exploit, but it does require user interaction, such as clicking a crafted link or visiting a malicious webpage. The CVSS v3.1 base score is 5.4, indicating medium severity, with the vector string AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C. This means the attack can be launched remotely over the network with low attack complexity, no privileges required, but user interaction is necessary. The impact affects confidentiality and integrity by potentially exposing sensitive data or allowing spoofing but does not affect system availability. No public exploits or patches have been reported or released yet, but the vulnerability is officially published and reserved by Microsoft as of August 2025. Given the widespread use of Microsoft Dynamics 365 in enterprise environments, especially in Europe, this vulnerability poses a significant risk to organizations relying on on-premises deployments for customer relationship management and business operations.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive business information and enable attackers to impersonate legitimate users or services within Microsoft Dynamics 365 environments. This can facilitate phishing, social engineering, or further exploitation of internal systems. The impact is particularly critical for sectors handling sensitive customer data, such as finance, healthcare, and government agencies. Since the vulnerability requires user interaction, the risk is heightened in environments where users may be less aware of social engineering tactics. The integrity of data and trustworthiness of communications within Dynamics 365 could be compromised, potentially leading to financial loss, reputational damage, and regulatory non-compliance under GDPR. However, as availability is not affected, operational disruptions are less likely. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially once exploit code becomes available.

1. Monitor Microsoft security advisories closely and apply official patches or updates for Dynamics 365 (on-premises) version 9.1 as soon as they are released. 2. Implement strict input validation and output encoding on all user-supplied data within customizations or integrations to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in Dynamics 365 web pages. 4. Educate users on recognizing phishing attempts and suspicious links, emphasizing caution when interacting with unexpected emails or messages. 5. Use web application firewalls (WAFs) with rules tuned to detect and block XSS attack patterns targeting Dynamics 365 interfaces. 6. Conduct regular security assessments and penetration testing focused on web application vulnerabilities in Dynamics 365 deployments. 7. Limit user permissions and roles within Dynamics 365 to the minimum necessary to reduce the potential impact of successful attacks. 8. Review and harden any custom plugins, scripts, or third-party integrations that interact with Dynamics 365 to ensure they do not introduce additional XSS risks.