Microsoft published a security advisory on May 12, 2026, confirming an elevation-of-privilege vulnerability in Dynamics 365 Business Central that lets a low‑privileged local attacker gain full SYSTEM rights. The company has released fixes for four major release waves, and it is telling customers that action is required.
The Vulnerability and the Fix
CVE‑2026‑40417 is rooted in weak authentication within Business Central, classified under CWE‑1390. The CVSS 3.1 score is 7.8 – an “Important” severity under Microsoft’s rating scheme – with high impact to confidentiality, integrity, and availability. The attack vector is local, requires only low privileges, and demands no user interaction, making it a classic second‑stage escalation tool once an attacker has even limited foothold inside the environment.
Microsoft assigns a report confidence rating of “Confirmed,” meaning the bug is real, reproducible, and not merely a theoretical concern. The remediation level is “Official Fix,” and exploit code maturity is currently rated “Unproven.” While the advisory states that exploitation is “less likely” today, the presence of detailed fix builds means the window between patch release and reverse‑engineering attempts is narrow.
Four release waves are affected:
| Release Wave | Fixed Build |
|---|---|
| 2024 Release Wave 2 | 25.18 |
| 2025 Release Wave 1 | 26.12 |
| 2025 Release Wave 2 | 27.6 |
| 2026 Release Wave 1 | 28.1 |
Each fixed build corresponds to a separate KB article in Microsoft’s Security Update Guide, and the vendor marks “customer action required” for every affected entry. The updates address the weak authentication path, preventing the local privilege escalation to SYSTEM.
What It Means for You
If your organization runs Microsoft Dynamics 365 Business Central, this vulnerability demands your attention even if you normally filter Patch Tuesday by “Critical” first. The “Important” label understates the business risk: this is an ERP system that handles finance, inventory, sales, and operations. An attacker who escalates to SYSTEM on a Business Central server gains not only control of the application but also host‑level access to the underlying Windows machine, with all the lateral movement, credential theft, and persistence possibilities that entails.
For ERP administrators: The fix is a standard application update, but ERP updates are not browser patches. You must plan for extension compatibility testing, integration validation, and potential downtime. Business Central often runs in hybrid or on‑premises configurations, so the local attack vector is very real. The low‑privilege requirement means that any compromised user account – even a service identity with minimal rights – can be weaponized to take over the server. This is not a theoretical edge case.
For security operations teams: The SYSTEM leap is a red flag. Once an adversary runs code as SYSTEM, your detection tools must look beyond application logs. Host‑based intrusion detection, credential dumping alerts, and unexpected service creations become critical. If you cannot patch immediately, tighten monitoring on all Business Central servers and review any evidence of anomalous behavior by low‑privileged accounts.
For business leadership: An ERP compromise isn’t just an IT outage. Manipulated financial data, altered payment instructions, or disrupted inventory records can have legal and regulatory consequences. The fix is available now, and postponing it because the severity isn’t “Critical” is a gamble that threat actors won’t develop an exploit after seeing the patch diffs – a gamble that has rarely paid off.
How We Got Here
Dynamics 365 Business Central has grown into the de facto ERP for small and midsize organizations inside the Microsoft ecosystem. Its semiannual release waves add features and, inevitably, complexity. The product sits at the intersection of Windows, Entra ID, Power Platform, and a vast ecosystem of third‑party extensions. Yet, its security posture is often less scrutinized than that of Exchange or domain controllers.
The vulnerability was responsibly disclosed by researcher Nhien Pham (@nhienit) of Galaxy One. Microsoft’s advisory timeline shows no public disclosure or known exploitation before the patch shipped, which is a textbook example of coordinated disclosure. The bug itself – weak authentication – underscores a persistent challenge in enterprise software: identity boundaries must hold under pressure from every API, integration point, and local service component.
May 2026’s Patch Tuesday included many disclosures, but CVE‑2026‑40417 stands out because it involves confirmed privilege escalation in a business‑critical application. For many organizations, Business Central is less frequently patched than Windows, and the inventory of which release wave is running where can be fuzzy. That fog is exactly where an elevation‑of‑privilege vulnerability becomes dangerous.
What to Do Now
Time is on your side if you act deliberately. There is no known public exploit today, but the patch itself gives attackers a roadmap. Here is a concrete response plan:
-
Inventory your deployments. Identify every Business Central instance – production, sandbox, test, and integration environments. Note which release wave and build each runs. The fixed builds are 25.18, 26.12, 27.6, and 28.1; any earlier build in those waves is vulnerable.
-
Plan the update. ERP patching is a change‑management exercise. Schedule a maintenance window, notify users, and back up your databases. Test the update first in a sandbox environment, especially if you use ISV solutions or custom extensions. Microsoft’s KB articles for each fixed build contain detailed installation instructions.
-
Validate integrations. Business Central often connects to external systems via APIs, Power Automate, or scheduled jobs. After updating, verify that all integrations still function. Pay particular attention to any component that uses service accounts or local authentication; the fix changes authentication behavior, and an integration may fail if it relied on the earlier, weaker path.
-
Review access privileges. While the vulnerability itself is being patched, take the opportunity to shrink your attack surface. Remove dormant user accounts, enforce least privilege for service accounts, and audit local administrative rights on Business Central servers. The fewer low‑privileged accounts that can authenticate locally, the harder it is for an attacker to exploit this or a similar flaw.
-
Monitor for SYSTEM‑level anomalies. If you cannot patch immediately, enable additional logging: Windows Event ID 4103 (PowerShell execution), 4688 (process creation), and 4672 (special privileges assigned). Look for unexpected processes launching as SYSTEM or changes to server configuration. Even after patching, a retrospective look is wise to ensure no foothold existed before the update.
-
Coordinate with partners. Many Business Central deployments involve Microsoft partners for customizations and support. Inform them of the vulnerability and the plan, and ensure they validate their extensions against the fixed build.
Outlook
Microsoft’s transparency with this advisory – including detailed CVSS temporal metrics, fixed builds, and the “Confirmed” rating – gives defenders a head start. The real test is whether organizations treat business‑application vulnerabilities with the same rigor as operating system patches. As ERP platforms store ever more critical data and run ever more automated processes, elevation‑of‑privilege bugs like CVE‑2026‑40417 will become a favorite target for attackers who understand that compromising the books means compromising the business. The fix is available now; the decision to prioritize it is a governance moment, not a technical one.