CVE-2025-58112 is a critical SQL injection vulnerability affecting Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (9.0.2.3034). The vulnerability stems from the system's handling of .rdl files, which are Report Definition Language files used by SQL Server Reporting Services (SSRS) to generate customized reports. The product allows privileged users with the Add Reporting Services Reports permission to upload .rdl files that can contain raw SQL queries. This capability can be abused by attackers to upload malicious .rdl files embedding arbitrary SQL commands. Furthermore, if a malicious .rdl file is already present and executable by a user, the attacker can trigger report generation without needing the upload privilege, enabling SQL injection attacks. The exploitation of this vulnerability allows execution of arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data manipulation, or deletion. Additionally, if the SQL Server Reporting Services process runs with elevated privileges, attackers may leverage linked servers or extended stored procedures to execute operating system commands, escalating the attack to full system compromise. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), confirming it as a classic SQL injection flaw. The CVSS v3.1 base score of 8.8 reflects its high impact, with network attack vector, low attack complexity, requiring privileges but no user interaction, and affecting confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's nature and impact make it a significant risk for organizations using the affected Dynamics 365 on-premises version. No patches are currently linked, so mitigation may require restricting privileges, monitoring report uploads, or isolating SSRS environments until official fixes are released.

The impact of CVE-2025-58112 is substantial for organizations running Microsoft Dynamics 365 Customer Engagement on-premises version 1612. Successful exploitation can lead to unauthorized execution of arbitrary SQL commands, resulting in data breaches, data corruption, or data loss. Attackers could exfiltrate sensitive customer and business data, manipulate records to disrupt business operations, or delete critical information. If the SQL Server Reporting Services account has elevated privileges, attackers may escalate to executing operating system commands, potentially compromising the entire server hosting the database and reporting services. This could lead to full system takeover, lateral movement within the network, and deployment of further malware or ransomware. The vulnerability's exploitation requires only privileges to upload reports or the presence of a malicious report, making insider threats or compromised accounts particularly dangerous. The broad impact on confidentiality, integrity, and availability can severely disrupt business continuity, damage reputation, and incur regulatory penalties for data breaches. Given the widespread use of Microsoft Dynamics 365 in enterprise environments globally, the threat surface is significant, especially in sectors relying heavily on customer engagement platforms such as finance, healthcare, retail, and government.

1. Immediately review and restrict the Add Reporting Services Reports privilege to only trusted and necessary accounts to minimize the risk of malicious .rdl file uploads. 2. Audit existing .rdl files in the reporting services repository for unauthorized or suspicious reports, removing any untrusted files. 3. Implement strict access controls and monitoring on the SQL Server Reporting Services environment to detect unusual report generation activity or privilege escalations. 4. Isolate the SQL Server Reporting Services environment from other critical systems to limit potential lateral movement if compromise occurs. 5. Employ database activity monitoring tools to detect anomalous SQL queries indicative of injection attacks. 6. Apply the principle of least privilege to the SQL Server Reporting Services service account, ensuring it has minimal necessary permissions, preventing OS command execution or linked server access. 7. Until an official patch is released, consider disabling report upload functionality or restricting it via network segmentation and firewall rules. 8. Educate administrators and users about the risks of uploading untrusted report files and enforce strict validation policies. 9. Monitor vendor advisories closely for patches or updates addressing this vulnerability and apply them promptly once available. 10. Conduct penetration testing and vulnerability assessments focused on report generation and SQL injection vectors to identify and remediate weaknesses proactively.