anonhaven
Ad

CVE-2025-58112

HIGH CVSS 3.1: 8.8 EPSS 0.07%
Updated Mar 19, 2026
N/A
Parameter Value
CVSS 8.8 (HIGH)
Type CWE-89 (SQL Injection)
Vendor N/A
Public PoC No

Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; this is then processed by the SQL Server Reporting Service. An account with the privilege Add Reporting Services Reports can upload a malicious rdl file. If the malicious rdl file is already loaded and it is executable by the user, the Add Reporting Services Reports privilege is not required.

A malicious actor can trigger the generation of the report, causing the execution of arbitrary SQL commands in the underlying database. Depending on the permissions of the account running SQL Server Reporting Services, the attacker may be able to perform additional actions, such as accessing linked servers or executing operating system commands.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-89 SQL Injection

Vulnerable Products

n/a:n/a

References 2

https://gist.github.com/Redteam-LongwaveSpa/141f6c52ce49f9c0f49989c7d6940abd
cve@mitre.org
https://microsoft.com
cve@mitre.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2024-51222

N/A

4.8

CVE-2026-4542

N/A

5.3

CVE-2026-4514

PHP

5.3

CVE-2026-30703

N/A

9.8

CVE-2026-30702

N/A

9.8