---

In the world of business software, Microsoft Dynamics CRM (on-premises) powers customer relations for thousands of organizations. But in 2022, a major security risk emerged—CVE-2022-35805. This vulnerability allows attackers to remotely run any code on affected CRM servers, potentially leading to full system compromise. Below, we'll break down what CVE-2022-35805 is all about, how the exploit works, and offer practical advice to secure your servers.

What is CVE-2022-35805?

CVE-2022-35805 is a Remote Code Execution (RCE) vulnerability in Microsoft Dynamics CRM (on-premises). Attackers can exploit a flaw in how Dynamics processes specially crafted network requests, allowing them to execute arbitrary code on the server with the privileges of the Dynamics service account.

> Note: This vulnerability is unique from CVE-2022-34700. Both affect Microsoft CRM, but use different bugs and attack vectors.

Microsoft's Reference

- Official Microsoft Security Update CVE-2022-35805

How Does the Attack Work?

The attacker crafts a special SOAP or HTTP request targeting CRM's web endpoint. If sent to a vulnerable server, Dynamics CRM processes the request and executes the payload, running code supplied by the attacker. This can include installing backdoors, stealing data, deleting files, or pivoting further into your network.

Attack Preconditions

- Attacker must have access to the CRM web endpoint (e.g., internal/external network).

A Simple Exploit Example

> Disclaimer: This demonstration is for educational purposes only. Never test vulnerabilities on systems you do not own!

To exploit the bug, the attacker sends a carefully crafted SOAP message (via HTTP POST) to the CRM web service endpoint. Here’s an example of what an attack payload might look like in Python using the requests library:

import requests

# Target CRM endpoint (update as needed)
url = "http://crm-victim.local/XRMServices/2011/Organization.svc/web";

# Crafted SOAP payload that triggers the RCE
payload = '''<?xml version="1." encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">;
  <s:Body>
    <x:Execute xmlns:x="http://schemas.microsoft.com/xrm/2011/Contracts/Services">;
      <request i:type="a:PluginTypeRequest" xmlns:a="http://schemas.microsoft.com/xrm/2011/Contracts"; xmlns:i="http://www.w3.org/2001/XMLSchema-instance">;
        <!-- Malicious data here -->
      </request>
    </x:Execute>
  </s:Body>
</s:Envelope>
'''

headers = {
    "Content-Type": "application/soap+xml; charset=UTF-8"
}

response = requests.post(url, data=payload, headers=headers)
print(response.status_code)
print(response.text)

*In a real exploit, the 'Malicious data here' would be replaced by code or references to a file/payload to execute on the server.*

Technical Details

Microsoft hasn’t published the full technical sequence, but security researchers found that flaws in CRM’s SOAP endpoint handling (likely improper deserialization or unsafe handling of user input) are key to exploitation.

- Input Validation Lapse: The vulnerable endpoint fails to fully validate data types or restrict object instantiation in the XML payload.
- Code Execution: By sending the right XML structure, an attacker can trigger code execution in the Dynamics CRM backend.

References for Further Reading

- MSRC: Microsoft Dynamics CRM Remote Code Execution Vulnerability
- Zero Day Initiative Advisory
- NVD CVE Record

How To Protect Your Organization

1. Patch Now: Microsoft has issued a patch. Apply the latest security update from the Microsoft Security Update Guide.

Conclusion

CVE-2022-35805 is a wake-up call for administrators of on-premises Microsoft Dynamics CRM setups. With the potential for remote, unauthenticated code execution, quick response is essential. Patch your servers, tighten exposures, and monitor access carefully.

Remember: Software vulnerabilities can have devastating results—but with the right knowledge and swift action, you can keep your systems safe.

Further Reading & Resources

- Official Microsoft Security Update CVE-2022-35805
- NVD: CVE-2022-35805 Details

Stay safe—regular updates and awareness are your best first lines of defense!

Timeline

Published on: 09/13/2022 19:15:00 UTC
Last modified on: 09/16/2022 17:29:00 UTC