CVE-2026-47647 Microsoft CVE debrief

Who should care

Microsoft Dynamics 365 users, administrators, and security teams should be aware of this critical vulnerability and take immediate action to mitigate it. Additionally, security researchers and threat intelligence teams may want to monitor for potential exploits.

Technical summary

CVE-2026-47647 is an improper access control vulnerability in Microsoft Dynamics 365 that allows an authorized attacker to elevate privileges over a network. The vulnerability has a CVSS score of 9.9 and is considered critical. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating that the vulnerability can be exploited over the network with low attack complexity and privileges. The weakness is classified as CWE-284.

Defensive priority

high

Recommended defensive actions

• Apply patches or updates provided by Microsoft as soon as possible
• Implement additional security controls to monitor and restrict access to Microsoft Dynamics 365
• Conduct regular security audits and vulnerability assessments
• Ensure proper network segmentation and isolation
• Monitor for suspicious activity and potential exploits
• Review and update incident response plans

Evidence notes

The CVE record and NVD detail pages provide limited information about the vulnerability. The vendor is currently listed as 'Unknown Vendor' but evidence suggests it is likely Microsoft. The vulnerability was published on June 18, 2026, and has not been modified since.

Official resources