In late 2022, Microsoft patched a serious information disclosure issue in its Business Central software, designated as CVE-2022-41066. While many news outlets and technical write-ups covered the basics, this long read will break the vulnerability down in simple American English, walk through a hypothetical exploitation scenario, give code snippets, and summarize key resources for security professionals and businesses.
What is CVE-2022-41066?
CVE-2022-41066 is a vulnerability in Microsoft Dynamics 365 Business Central (on-premises), an ERP platform for small and mid-sized businesses. Specifically, it allows attackers who already have authenticated access to Business Central to grab sensitive data that they should not see.
Microsoft assigned it a CVSS score of 6.5 (Medium)—not critical, but important if you use Business Central.
Patched Date: November 2022
- Microsoft Advisory: MSRC CVE-2022-41066
How Does The Vulnerability Work?
This bug exists because of insecure handling of table access permissions inside the Business Central web client/API. In certain cases, users with limited rights can still request and receive data from tables or records that should be forbidden, bypassing internal access filters.
That means someone who’s not an admin (maybe a basic user or support staffer) could pull data such as customer lists, vendor info, or confidential financial records—data they shouldn’t be able to see.
The attacker only needs *limited* access (e.g., any basic user account).
- The data target (table/object) needs to be present in the database.
Step 1: Gather Valid Credentials
First, the attacker acquires a valid Business Central login. Even a weakly permissioned user will do. (This is not a remote, unauthenticated attack.)
Step 2: Target a Sensitive Table
Suppose there’s a “Customer” table holding sensitive client data. Normally, only sales managers can view it.
Step 3: Craft a Malicious Web Request
If the user visits a page or uses an API endpoint that requests data from the restricted table, the system *should* block it. However, due to CVE-2022-41066, the block might fail. Here’s a simple JavaScript example of making such a data request via the Business Central OData endpoint:
// Example: Fetching protected customer data with limited permissions
fetch('https://YOUR_BC_SERVER:7048/BC210/ODataV4/Company(\'CRONUS USA, Inc.\')/Customer', {
method: 'GET',
headers: {
'Authorization': 'Basic ' + btoa('lowprivuser:password'),
'Accept': 'application/json'
}
})
.then(res => res.json())
.then(data => console.log(data));
> Note: This example assumes you have a valid login that shouldn’t have access to Customer data.
Step 4: Parse the Response
Due to the flaw, the data comes back—revealing customer names, addresses, phone numbers, financial details, etc.
Supply Chain Risks: A compromised supplier account could be abused to leak information.
- Compliance Issues: Exposure of regulated datasets (PII, financial data) could lead to legal or reputational risk.
How Was It Patched?
In November 2022, Microsoft updated Business Central’s access control checks to prevent unauthorized access at the web service layer. Administrators should apply all patches, especially for on-premises installations.
- Apply the patch per Microsoft’s update guide
Key Reference Links
- Microsoft Security Advisory
- Microsoft Dynamics 365 Business Central Security Model
- Release notes for Business Central
- CVE Details Database
Conclusion
*CVE-2022-41066* might not sound as flashy as full remote code execution bugs, but information disclosure issues like this can be serious. Even for authenticated-only vulnerabilities, the impact can be huge—especially in business environments that rely on Business Central for daily operations.
Take this vulnerability as a wake-up call to patch quickly, audit your user permissions, and approach any ERP or business platform with a security-first mindset.
Stay safe—and always patch promptly!
*This post is exclusive to this platform; feel free to share with proper attribution. For more hands-on ERP security tips, follow our updates!*
Timeline
Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/11/2022 02:36:00 UTC