CVE-2025-49745 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Microsoft Dynamics 365 (on-premises) version 9.1, specifically impacting version 9.0 as indicated. The vulnerability arises from improper neutralization of user input during web page generation, allowing an attacker to inject malicious scripts into web pages viewed by other users. This flaw enables unauthorized attackers to perform spoofing attacks over a network by tricking users into executing attacker-controlled scripts within their browsers. The vulnerability does not require any privileges (PR:N) but does require user interaction (UI:R), such as clicking a crafted link or visiting a malicious page. The attack vector is network-based (AV:N), meaning exploitation can occur remotely without physical access. The vulnerability impacts confidentiality and integrity to a limited extent (C:L/I:L/A:N), with no direct impact on availability. The CVSS v3.1 base score is 5.4, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches or mitigations have been explicitly linked yet. The vulnerability was reserved in June 2025 and published in August 2025, indicating recent discovery and disclosure. The nature of the vulnerability suggests that attackers could steal session tokens, perform actions on behalf of users, or manipulate displayed content, potentially leading to further compromise within affected environments. Since Microsoft Dynamics 365 is widely used for enterprise resource planning and customer relationship management, exploitation could expose sensitive business data and disrupt business processes.

For European organizations, the impact of this XSS vulnerability in Microsoft Dynamics 365 (on-premises) could be significant due to the widespread adoption of this platform across various industries including finance, manufacturing, and public sector entities. Successful exploitation could lead to unauthorized access to sensitive customer and business data, session hijacking, and potential lateral movement within corporate networks. This could result in data breaches, regulatory non-compliance (notably GDPR), reputational damage, and financial losses. Given that Dynamics 365 often integrates with other critical business systems, the ripple effect of an attack could extend beyond the initial compromise. The requirement for user interaction means that phishing or social engineering campaigns could be leveraged to increase exploitation success. Additionally, the medium severity rating suggests that while the vulnerability is not immediately critical, it still poses a tangible risk that must be addressed promptly to prevent escalation or chaining with other vulnerabilities.

Organizations should implement the following specific mitigations: 1) Apply any available security updates or patches from Microsoft immediately once released for Dynamics 365 (on-premises) version 9.1 and related versions. 2) Employ strict input validation and output encoding on all user-supplied data within customizations or integrations to Dynamics 365 to prevent injection of malicious scripts. 3) Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing Dynamics 365 portals. 4) Conduct regular security awareness training focused on recognizing phishing and social engineering attempts that could trigger exploitation. 5) Monitor web traffic and logs for unusual or suspicious activities indicative of attempted XSS attacks, such as anomalous URL parameters or script injections. 6) Limit user privileges and enforce the principle of least privilege within Dynamics 365 to reduce the impact of compromised accounts. 7) Consider deploying Web Application Firewalls (WAF) with rules tailored to detect and block XSS payloads targeting Dynamics 365 endpoints. 8) Review and harden any custom plugins, scripts, or third-party integrations within Dynamics 365 that might introduce or exacerbate XSS risks.