Executive Summary
A critical server-side request forgery (SSRF) vulnerability (CVE-2026-32210) has been disclosed in Microsoft Dynamics 365 (Online), Microsoft's cloud-based enterprise resource planning and customer relationship management platform. The vulnerability carries a CVSS score of 9.3 and allows an unauthenticated attacker to perform network spoofing by abusing the Dynamics 365 server as a proxy to issue requests to internal or external network resources. This is a high-severity cloud service vulnerability with potential for internal metadata service access, credential harvesting, and lateral movement within Microsoft's cloud infrastructure.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-32210 |
| CVSS Score | 9.3 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Affected Platform | Microsoft Dynamics 365 (Online) |
| Vulnerability Type | Server-Side Request Forgery — SSRF (CWE-918) |
| Published | April 23, 2026 |
Affected Products
| Product | Deployment | Status |
|---|---|---|
| Microsoft Dynamics 365 (Online) | Cloud / SaaS | Vulnerable — Microsoft patch in progress |
Technical Analysis
Root Cause
CVE-2026-32210 is a server-side request forgery vulnerability, a class of flaw where an application can be induced to make HTTP requests to an attacker-specified destination — internal resources, cloud metadata endpoints, or external targets — using the server's own network identity and trust relationships.
In the Dynamics 365 Online context, an SSRF vulnerability can be exploited to:
- Access Azure Instance Metadata Service (IMDS) endpoints (
http://169.254.169.254/) to retrieve cloud credentials and access tokens - Probe internal Microsoft Azure infrastructure not normally accessible to external parties
- Bypass network access controls that trust connections originating from Dynamics 365 servers
- Perform reconnaissance against internal services through the cloud platform's trusted network position
The unauthenticated nature of this vulnerability (PR:N) means no Dynamics 365 account is required to trigger the server-side request, making it exploitable by any internet-accessible attacker who can reach the vulnerable endpoint.
Attack Flow
1. Attacker identifies the vulnerable Dynamics 365 endpoint that processes external URLs
2. Attacker crafts a request pointing to an internal target:
- Azure IMDS: http://169.254.169.254/metadata/instance
- Internal API endpoints: http://10.x.x.x/admin
- Other Dynamics infrastructure services
3. Dynamics 365 server issues the request using its privileged internal network position
4. Response data is returned to the attacker (directly or through side-channel inference)
5. Attacker harvests cloud credentials, internal network topology, or access tokens
6. Harvested credentials enable further attacks on Azure resources or Dynamics data
SSRF in Cloud Environments
SSRF vulnerabilities in cloud-hosted SaaS platforms are particularly high-impact because:
| Factor | Impact |
|---|---|
| Metadata Service Access | Cloud VMs can access IMDS endpoints returning IAM credentials & instance info |
| Trust Relationships | Internal cloud services often trust requests from other services in the same VNet |
| Credential Escalation | IMDS tokens can be used to call Azure Resource Manager APIs |
| Multi-tenant Risk | In SaaS platforms, SSRF from one tenant context may reach shared infrastructure |
Why CVSS 9.3
| Metric | Value | Reason |
|---|---|---|
| No authentication | PR:N | Exploitable without any Dynamics 365 account |
| Network accessible | AV:N | Triggered via internet-reachable Dynamics 365 endpoints |
| Low complexity | AC:L | Standard SSRF exploitation, no special conditions required |
| High impact | C:H/I:H/A:H | Potential for cloud credential theft enabling further Azure compromise |
Impact Assessment
| Impact Area | Description |
|---|---|
| Cloud Credential Theft | IMDS access can expose Azure managed identity tokens |
| Internal Network Reconnaissance | Map internal Azure infrastructure inaccessible from outside |
| Data Exfiltration | Access internal APIs or storage accounts via forged server requests |
| Authentication Bypass | Stolen IMDS tokens can authenticate to Azure Resource Manager APIs |
| Multi-Tenant Risk | Potential to probe shared Dynamics infrastructure components |
| Compliance Violation | Unauthorized access to Microsoft cloud infrastructure violates data residency & compliance controls |
Remediation
Step 1: Apply Microsoft's Patch
Microsoft Dynamics 365 Online is a SaaS platform; patches are deployed by Microsoft directly. Monitor the Microsoft Security Update Guide and Service Health dashboard for confirmation of CVE-2026-32210 remediation.
1. Monitor: https://msrc.microsoft.com/update-guide/ for CVE-2026-32210 status
2. Check Dynamics 365 Service Health in Microsoft 365 Admin Center
3. Review Microsoft Defender for Cloud alerts for related activity
Step 2: Review Dynamics 365 Integration Configurations
Audit any Dynamics 365 integrations that process external URLs or make outbound HTTP calls:
- Review all Power Automate flows connecting to external services
- Audit Dynamics 365 plugins and custom workflow activities
- Check for webhook configurations pointing to external endpoints
- Review custom connectors that may interact with the vulnerable endpoint
Step 3: Monitor for SSRF Exploitation Attempts
# Review Dynamics 365 audit logs for unusual API activity
# Use Microsoft Defender for Cloud Apps (formerly MCAS) to monitor Dynamics activity
# Check Azure Activity Log for unexpected resource access from Dynamics service principal
az monitor activity-log list \
--start-time $(date -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ) \
--query "[?authorization.action=='Microsoft.Resources/subscriptions/resourcegroups/read']" \
--output table
# Review Azure IMDS access logs if available
# Check for unexpected managed identity token requests
az monitor diagnostic-settings list --resource <dynamics_resource_id>Step 4: Harden Dynamics 365 Network Policies
1. Enable IP-based access restrictions for Dynamics 365 admin endpoints
2. Configure Conditional Access policies for all Dynamics 365 users
3. Enable Microsoft Defender for Dynamics 365
4. Review and restrict Dynamics 365 API access to required integrations only
5. Implement Just-In-Time (JIT) access for Dynamics administrative operations
Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected Azure IMDS calls from Dynamics 365 service | SSRF exploitation targeting metadata service |
| Unusual Dynamics 365 outbound HTTP requests in logs | Active SSRF exploitation |
| Azure managed identity token usage from unexpected sources | Harvested token abuse |
| Internal network scanning originating from Dynamics 365 | Post-exploitation reconnaissance |
| Unauthorized Azure resource access via Dynamics service principal | Credential abuse following SSRF |
| Unusual Dynamics 365 API calls without corresponding user sessions | Unauthenticated endpoint exploitation |
Post-Remediation Checklist
- Confirm Microsoft has deployed the CVE-2026-32210 patch to your Dynamics 365 tenant
- Review Azure Activity Logs for any suspicious resource access from the Dynamics service principal
- Rotate managed identity credentials and service principal secrets if compromise is suspected
- Audit all Dynamics 365 API integrations and Power Automate flows for unexpected changes
- Enable Microsoft Defender for Cloud to monitor for ongoing SSRF exploitation
- Apply Conditional Access policies requiring MFA for all Dynamics 365 access
- Review network security group rules for any Dynamics-adjacent Azure resources
- Notify Microsoft Support if active exploitation evidence is found