CVE-2025-53728 is a vulnerability identified in Microsoft Dynamics 365 (on-premises) version 9.1, specifically affecting version 9.0 as well. The vulnerability is categorized under CWE-200, which involves the exposure of sensitive information to unauthorized actors. This flaw allows an attacker without any privileges (PR:N) to disclose sensitive information over the network (AV:N) by leveraging user interaction (UI:R). The vulnerability does not affect the integrity or availability of the system but has a high impact on confidentiality (C:H). The CVSS v3.1 base score is 6.5, indicating a medium severity level. The attack scope is unchanged (S:U), meaning the attacker cannot escalate privileges beyond the initially affected component. The vulnerability was published on August 12, 2025, with no known exploits in the wild and no patches currently available. The exposure likely results from improper access controls or information leakage in the Dynamics 365 on-premises deployment, which could allow attackers to intercept or retrieve sensitive data transmitted or stored by the system. Since Microsoft Dynamics 365 is widely used in enterprise environments for customer relationship management and business operations, this vulnerability poses a risk of data leakage that could compromise business confidentiality and privacy.

For European organizations, the exposure of sensitive information could lead to significant privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. Enterprises relying on Microsoft Dynamics 365 for managing customer data, financial records, or operational workflows may face data breaches that expose confidential business or personal information. This could result in legal penalties and loss of customer trust. The vulnerability’s network-based attack vector means that attackers could exploit it remotely, increasing the risk of widespread impact if internal network segmentation and access controls are insufficient. Sectors such as finance, healthcare, government, and critical infrastructure in Europe are particularly vulnerable due to the sensitivity of the data handled and the strategic importance of these organizations. The lack of available patches increases the window of exposure, necessitating immediate compensating controls to reduce risk.

1. Restrict network access to Microsoft Dynamics 365 on-premises installations by implementing strict firewall rules and network segmentation to limit exposure to trusted users and systems only. 2. Enforce multi-factor authentication and strong access controls to reduce the risk of unauthorized user interaction that could trigger the vulnerability. 3. Monitor network traffic and system logs for unusual data access patterns or exfiltration attempts related to Dynamics 365 services. 4. Disable or limit features that transmit sensitive information over the network if feasible until a patch is available. 5. Prepare for rapid deployment of official patches or updates from Microsoft once released, including testing in controlled environments. 6. Conduct security awareness training to inform users about the risks of interacting with potentially malicious content that could trigger the vulnerability. 7. Review and tighten data classification and handling policies to minimize the amount of sensitive information accessible through Dynamics 365. 8. Engage with Microsoft support and subscribe to security advisories to stay informed about developments related to this vulnerability.