Dynamics 365 SSRF lets attackers spoof (CVE-2026-32210)

Patch now - CVE-2026-32210 is a critical SSRF vulnerability in Microsoft Dynamics 365 (Online) that lets unauthenticated attackers spoof trusted services and probe internal networks. Microsoft’s automatic cloud update is rolling out; verify your instance has received it in the admin center.

Overview

An unauthenticated attacker can exploit a server-side request forgery (SSRF) vulnerability in Microsoft Dynamics 365 (Online) to perform spoofing attacks over the network. Identified as CVE-2026-32210, this flaw carries a CVSS score of 9.3 (Critical). No user interaction is required from the attacker’s perspective, but the victim must perform a specific action for the attack to succeed.

Affected Systems

All Microsoft Dynamics 365 (Online) instances are affected. The vulnerability exists in the cloud-hosted version of the product. No on-premises installations are impacted.

Impact

An attacker with network access can send crafted requests that the Dynamics 365 server then forwards to internal or external destinations. This SSRF capability allows the attacker to:

• Spoof trusted services by making requests appear to originate from legitimate Dynamics 365 infrastructure
• Potentially access internal network resources not directly exposed to the internet
• Perform reconnaissance on the internal network topology

The spoofing impact can lead to successful phishing campaigns, credential theft, or further lateral movement within an organization’s environment.

Remediation

Microsoft has released a security update for Dynamics 365 (Online). No additional action is required from administrators, as the fix is automatically applied to all cloud instances. Verify your instance has received the update by checking the Dynamics 365 admin center for the latest build version.

Mitigation

Until the patch is fully applied to all tenants, organizations should:

• Review and restrict outbound network rules for Dynamics 365 traffic
• Monitor for unusual outbound requests originating from Dynamics 365 servers
• Implement user awareness training about spoofing-based phishing attacks

Detection

Administrators should review server logs for unexpected outbound connections to unusual destinations. Look for patterns where Dynamics 365 makes requests to IP addresses not associated with normal Microsoft services.

References

• Related Threats: Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• Related Campaign: APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Related Ransomware: Storm-1175 Exploits Zero-Days to Deploy Medusa

Security Insight

This SSRF vulnerability in a major SaaS platform underscores the growing attack surface of cloud-delivered business applications. Unlike traditional software vulnerabilities that administrators can patch independently, cloud service flaws require vendor action and trust in the automatic update process. As threat actors increasingly target SaaS platforms for supply chain attacks, organizations must verify vendor patch deployment rather than assuming it occurs seamlessly.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs