CVE-2025-58112
Description
Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; this is then processed by the SQL Server Reporting Service. An account with the privilege Add Reporting Services Reports can upload a malicious rdl file. If the malicious rdl file is already loaded and it is executable by the user, the Add Reporting Services Reports privilege is not required. A malicious actor can trigger the generation of the report, causing the execution of arbitrary SQL commands in the underlying database. Depending on the permissions of the account running SQL Server Reporting Services, the attacker may be able to perform additional actions, such as accessing linked servers or executing operating system commands.
Affected products
2- Microsoft/Dynamics 365 Customer Engagementdescription
- Range: = 1612 (9.0.2.3034)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
6- Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE FlawsThe Hacker News · May 13, 2026
- Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilitiesCisco Talos Intelligence · May 12, 2026
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-daysBleepingComputer · May 12, 2026
- Microsoft Patches 137 VulnerabilitiesSecurityWeek · May 12, 2026
- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026
- May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEsCrowdStrike Blog