On December 13, 2022 Microsoft disclosed a security vulnerability (coded CVE-2022-41127) that affects the on-premises versions of Dynamics 365 Business Central and Dynamics NAV.
An attacker who successfully exploited this vulnerability in Dynamics NAV and BC could execute code on the host server in the context of the service account Dynamics has been configured to use. The vulnerability exists due to insufficient validation of user-supplied input in the Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises). A remote user can pass specially crafted input to the application and execute arbitrary code on the target system. The opened port could be used to connect with the WCF TCP protocol. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.
Patching this should be an high priority for partners and mitigation requires to install a platform update.
My friend Duilio Tacconi (Microsoft CSS) wrote a great summary of what you need to know for patching the vulnerability. To help on spreading the informations across partners, here is a recap of what you need to know.
DYNAMICS 365 BUSINESS CENTRAL
Regarding Dynamics 365 Business Central patching, you can follow the simple table provided below. The minor version represents the earlies build where the issue has been fixed. For versions out of support in modern lifecycle, DVD have been refreshed with a new one by December 2022 that contains the platform changes to resolve the security problem.
| Dynamics 365 Business Central Major Version | Lifecycle Type | Supportability | Minor Version | Update Provided | KB Article | Download Link |
| 2022 Wave 2 (21.x) | Modern | Mainstream | 21.2 | Dec-22 | Download | Download |
| 2022 Wave 1 (20.x) | Modern | Mainstream | 20.8 | Dec-22 | Download | Download |
| 2021 Wave 2 (19.x) | Modern | Mainstream | 19.15 | Dec-22 | Download | Download |
| 2021 Wave 1 (18.x) | Modern | Out of Support | 18.18 | Dec-22 | Download | Download |
| 2020 Wave 2 (17.x) | Modern | Out of Support | 17.17 | Dec-22 | Download | Download |
| 2020 Wave 1 (16.x) | Modern | Out of Support | 16.19 | Dec-22 | Download | Download |
| October 2019 (15.x) | Modern | Out of Support | 15.17 | Dec-22 | Download | Download |
| April 2019 (14.x) | Fixed | Mainstream | 14.43 | Dec-22 | Download | Download |
| October 2018 (13.x) | Fixed | Out of Support | N/A | N/A | N/A | N/A |
DYNAMICS NAV
NAV 2018 (11.x) has been found affected.
This version was in mainstream support when the vulnerability was discovered.
Platform has been patched and security problem is resolved by deploying December 2022 cumulative update or higher:
Cumulative Update 59 for Microsoft Dynamics NAV 2018 (Build 49497) – Microsoft Support
NAV 2017 (10.0) has been found affected.
This version is out of mainstream support but still in extended support. The update (build 30712) that was released on December 13, 2022, fixes the remote code execution vulnerability. W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2016 and NAV 2017 – Dynamics 365 Business Central Community
Dynamics NAV 2016 (9.0) has been found affected.
This version is out of mainstream support but still in extended support.
The update (build 52203) that was released on December 13, 2022, fixes the remote code execution vulnerability. W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2016 and NAV 2017 – Dynamics 365 Business Central Community
Dynamics NAV 2015 (8.0) has been found affected.
This version is out of mainstream support but still in extended support. The update (build 52204) that was released on January 23, 2023, fixes the remote code execution vulnerability. W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2015 – Dynamics 365 Business Central Community
Dynamics NAV 2013 R2 (7.1) has been found affected.
This investigation has been done on best effort by security team since NAV 2013 is currently out of support (end of extended support was 10th January 2023).
On best effort, product group has provided a W1 DVD that contains the platform changes to secure the bulletin. The update (build 52207, download from here) that was released on January 27, 2023 fixes a remote code execution vulnerability.
Dynamics NAV 2013 (7.0) has not been found affected.
This investigation has been done on best effort by security team since NAV 2013 is currently out of support (end of extended support was 10th January 2023).
Dynamics 365 Business Central October 2018 release (13.x), NAV 2009 (RTM/SP1/R2) and backwards
These versions were out of both mainstream and extended support so that Microsoft is not obliged to perform any security checks against these.
The position from Microsoft is that they could potentially be affected hence it is warmly recommended to upgrade them to a patched supported version as soon as possible.
Please react and update your customers.
Stefano Demiliani 
Do you know if I should update all CU technical and objects or I can apply only a technical update (Plateform)
LikeLike
It’s only a platform update.
LikeLike
Is it possible that if the customer is not reachable with his BC from outside with an IP address he has a risk?
Do you know if it is only by using the web client? In this case if a NAV client does not use the web it has no risk?
LikeLike
It’s server side. It affects all clients (web, windows, API etc).
LikeLike
Is it possible that if the customer is not reachable with his BC from outside with an IP address he has a risk?
Do you know if it is only by using the web client? In this case if a NAV client does not use the web it has no risk?
LikeLike