The vulnerability CVE-2025-58112 affects Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (9.0.2.3034). It arises from the capability of the system to generate customized reports via raw SQL queries embedded in uploaded .rdl (Report Definition Language) files. These files are processed by SQL Server Reporting Services (SSRS). An attacker who holds the Add Reporting Services Reports privilege can upload a malicious .rdl file containing arbitrary SQL commands. Once uploaded, the attacker or any user with execution rights on the report can trigger the report generation, causing the embedded SQL commands to execute on the backend database. This can lead to unauthorized data access, data manipulation, or further compromise depending on the privileges of the SSRS service account. If the SSRS account has elevated permissions, the attacker might also execute commands on linked servers or even operating system commands, escalating the attack from database compromise to full system compromise. Notably, if the malicious .rdl file is already uploaded and executable, the attacker does not need the Add Reporting Services Reports privilege to exploit the vulnerability, increasing the attack surface. This vulnerability highlights a critical weakness in report processing and privilege management within Dynamics 365 and SSRS integration. No official patches or CVSS scores have been published yet, and no active exploitation has been reported, but the potential impact is severe.

The impact of CVE-2025-58112 is significant for organizations using Microsoft Dynamics 365 Customer Engagement (on-premises) with SQL Server Reporting Services. Successful exploitation can lead to arbitrary SQL command execution, resulting in unauthorized data disclosure, data corruption, or deletion. If the SSRS service account has high privileges, attackers could escalate to executing commands on linked servers or the underlying operating system, potentially leading to full system compromise. This can disrupt business operations, cause data breaches, and lead to regulatory and compliance violations. Organizations relying on Dynamics 365 for critical customer engagement and business processes face risks of operational downtime and reputational damage. The vulnerability also increases insider threat risks, as users with the Add Reporting Services Reports privilege can abuse their access. The absence of a patch and the ability to exploit the vulnerability without additional user interaction further exacerbate the threat. Overall, the vulnerability could be leveraged for data exfiltration, lateral movement within networks, and persistent access, making it a critical concern for affected environments.

To mitigate CVE-2025-58112, organizations should immediately audit and restrict the Add Reporting Services Reports privilege to only the most trusted and necessary accounts, minimizing the number of users who can upload .rdl files. Implement strict access controls and monitoring on report execution and uploads. Review and harden the permissions of the SQL Server Reporting Services service account to the least privilege necessary, avoiding elevated rights that could allow OS command execution or linked server access. Disable or restrict the ability to upload custom reports if not required. Employ network segmentation and database activity monitoring to detect unusual SQL commands or report generation activities. Regularly review existing .rdl files for unauthorized or suspicious content. Until an official patch is released, consider applying virtual patching via Web Application Firewalls (WAFs) or SQL Server security policies to block suspicious queries. Maintain up-to-date backups and have an incident response plan ready to address potential exploitation. Engage with Microsoft support for updates and patches as they become available.