Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API

Details have emerged about three now-patched security vulnerabilities in Dynamics 365 and Power Apps Web API that could result in data exposure.
The flaws, discovered by Melbourne-based cybersecurity company Stratus Security, have been addressed as of May 2024. Two of the three shortcomings reside in Power Platform's OData Web API Filter, while the third vulnerability is rooted in the FetchXML API.
The root cause of the first vulnerability is the lack of access control on the OData Web API Filter, thereby allowing access to the contacts table that holds sensitive information such as full names, phone numbers, addresses, financial data, and password hashes.
A threat actor could then weaponize the flaw to perform a boolean-based search to extract the complete hash by guessing each character of the hash sequentially until the correct value is identified.
"For example, we start by sending startswith(adx_identity_passwordhash, 'a') then startswith(adx_identity_passwordhash , 'aa') then startswith(adx_identity_passwordhash , 'ab') and so on until it returns results that start with ab," Stratus Security said.
"We continue this process until the query returns results that start with 'ab'. Eventually, when no further characters return a valid result, we know we have obtained the complete value."

The second vulnerability, on the other hand, lies in using the orderby clause in the same API to obtain the data from the necessary database table column (e.g., EMailAddress1, which refers to the primary email address for the contact).
Lastly, Stratus Security also found that the FetchXML API could be exploited in conjunction with the contacts table to access restricted columns using an orderby query.
"When utilizing the FetchXML API, an attacker can craft an orderby query on any column, completely bypassing the existing access controls," it said. "Unlike the previous vulnerabilities, this method does not necessitate the orderby to be in descending order, adding a layer of flexibility to the attack."
An attacker weaponizing these flaws could, therefore, compile a list of password hashes and emails, then crack the passwords or sell the data.
"The discovery of vulnerabilities in the Dynamics 365 and Power Apps API underscores a critical reminder: cybersecurity requires constant vigilance, especially for large companies that hold so much data like Microsoft," Stratus Security said.
Managing Cloud Risks Gave Security Teams a Big Headache in 2024
'Bad Likert Judge' Jailbreak Bypasses Guardrails of OpenAI, Other Top LLMs
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CWE-1266 Improper Scrubbing of Sensitive Data from Decommissioned Device
CWE-164 Improper Neutralization of Internal Special Elements
CWE-318 Cleartext Storage of Sensitive Information in Executable
CWE-158 Improper Neutralization of Null Byte or NUL Character
CWE-836 Use of Password Hash Instead of Password for Authentication
Free online web security scanner