Microsoft shipped a patch Tuesday that plugs a critical hole in two of its business ERP products — Dynamics NAV and Dynamics 365 Business Central on-premises — which could allow remote attackers to execute code without ever needing a valid username or password. The fix, released July 14, 2026, addresses a deserialization flaw that earned a CVSS base score of 9.8 out of 10, the highest severity rating the company assigns. Anyone running an internet‑facing instance of these systems has just run out of time to wait.
A Malicious Login Request Is All It Takes
The vulnerability, tracked as CVE-2026-55944, resides in how the affected software handles login requests. An attacker can send a specially crafted login payload to a vulnerable server; the application then deserializes that untrusted data in a way that lets the attacker run arbitrary code over the network. Because the flaw lives in the login path, the exploit requires zero authentication and no interaction from a victim. In Microsoft’s own words, the attack is “network‑accessible, requires low complexity, needs no privileges, and does not depend on a user clicking or opening anything.”
Deserialization bugs are notoriously dangerous. When an application reconstructs objects from raw network input without strict controls, attackers can manipulate the process to choke the runtime into executing their own instructions. In the case of CVE-2026-55944, the weakness is classified as CWE‑502, Deserialization of Untrusted Data — a category that has been behind some of the most impactful remote‑code execution flaws of the past decade, including Apache Struts, Java object injection, and numerous .NET deserialization issues.
The fix raises the corrected Dynamics NAV 2018 build to version 11.0.50704.0. While the initial CVE record singles out NAV 2018 versions older than that build, Microsoft’s advisory headline explicitly includes Dynamics 365 Business Central on‑premises deployments. That means organizations running any current or legacy on‑premises instance of these two product lines should not take comfort from a NAV‑only description. Asset inventories that rely on internal naming conventions or outdated licensing terms may list the same server as simply “Dynamics ERP” or “Business Central,” which can mask the true exposure.
The Ripple Effect of a Compromised ERP
Why a 9.8 score matters goes beyond the number. The attack is network‑accessible: an internet‑reachable Dynamics server that exposes its login interface — whether through a direct NAT rule, a reverse proxy, or a load balancer — can be reached from anywhere. No credentials are required, so there’s no brute‑force barrier. And because no user interaction is needed, there’s no fishing email or malicious link to trick anyone; the attacker just fires off the exploit and gains a foothold.
Once code execution is achieved, the attacker operates within the security context of the Dynamics service account. That account may not have domain‑admin rights, but it almost certainly holds elevated database permissions, can touch financial records, customer and supplier data, inventory, and integration shares, and may run scheduled jobs with stored credentials. In many environments, the ERP server sits close to the heart of the business. A successful intrusion can spill over into SQL Server, file storage, middleware, and administrative tooling, turning a single server compromise into a data‑exfiltration or ransomware launchpad.
Tenable’s analysis of Microsoft’s July Patch Tuesday release noted that the vendor assesses exploitation of CVE‑2026-55944 as “More Likely.” That’s Microsoft‑speak for a flaw that, based on available information and the ease of crafting an exploit, stands a good chance of being weaponized. As of this writing, no active exploitation or public proof‑of‑concept code has surfaced. But the combination of a low‑complexity attack vector and a clear target — login interfaces that are frequently exposed to the internet — makes waiting a gamble most organizations can’t afford.
How We Got Here: ERP as a Prime Target
Dynamics NAV’s roots reach back decades. The product evolved from a DOS‑based accounting tool into a modular business‑management platform, eventually rebranded as Dynamics 365 Business Central in its cloud‑first incarnation while continuing to ship an on‑premises edition. Over time, the product gained web clients, APIs, and a service‑oriented architecture that opens more network‑accessible endpoints — and with them, a larger attack surface.
Deserialization vulnerabilities have plagued business software for years. Because ERP applications must handle complex data structures and integrate with everything from web services to reporting engines, they often deserialize objects from outside sources. When developers don’t lock down which types can be instantiated, attackers slip malicious payloads into what otherwise looks like a legitimate request. Microsoft’s own history with deserialization flaws spans .NET Framework, Exchange Server, SharePoint, and now Dynamics.
The delay between vulnerability discovery and public disclosure is also telling. Microsoft coordinates its Patch Tuesday releases under a predictable monthly cadence, which means the CVE we see on July 14 may have been reported weeks or months earlier. Security researchers and nation‑state actors alike understand this rhythm, so the window between disclosure and exploitation can be alarmingly short — sometimes measured in hours, not days.
The fact that NVD’s entry for CVE‑2026-55944 is still “awaiting enrichment” doesn’t diminish the urgency. Microsoft, as the CVE Numbering Authority, has confirmed the flaw, provided the CWE classification, published the attack vector, and released a fix. The NVD status simply reflects database processing — not a lack of certainty about the bug’s existence or severity.
Practical Steps: Patching, Inventory, and Interim Defenses
1. Find Every Affected Instance
Start with an inventory. Don’t assume your Dynamics deployment is “just” NAV 2018 or “just” Business Central. Both labels apply. Use Microsoft’s Security Update Guide to cross‑reference the exact application build on every server — production, DR, test, and any forgotten legacy boxes that still run reporting or historical access. A dormant NAV instance with a running service is just as exploitable as a live one.
2. Deploy the Application Patch — Not Just Windows Updates
The July 2026 Windows cumulative update does not fix the ERP application. You must install the Dynamics NAV or Business Central security update that Microsoft released on July 14. Different teams often manage Windows patching and ERP maintenance; verify that both are on the same page. After installation, confirm the build number. For NAV 2018, the corrected version is 11.0.50704.0 or later. For Business Central on‑premises, consult the product‑specific table in Microsoft’s advisory.
3. Test Swiftly, But Don’t Delay
Essential testing — authentication, web clients, extensions, job queues, reporting, database connectivity — should be done, but the severity of CVE‑2026‑55944 argues for the shortest possible test cycle. If a full regression takes a week, ask whether a more targeted set of smoke tests can confirm the patch doesn’t break critical functions, then promote the build and monitor closely.
4. Reduce Exposure Where Patching Must Wait
Sometimes an update can’t be installed immediately because of change‑freeze windows or testing constraints. In those cases:
- Restrict access to the Dynamics login interface at the network level. Allow only trusted internal networks or VPN clients.
- Remove any public NAT rules, load‑balancer rules, or firewall policies that expose Dynamics services to the internet.
- If a reverse proxy or application delivery controller is in the path, review its configuration. It may be able to drop or sanitize the malicious request structure, but don’t count on it as a silver bullet — the proxy might simply relay the payload.
5. Monitor for Exploitation Attempts
Even after patching, turn up monitoring on the Dynamics server and its backend databases. Look for:
- Unexpected child processes launched from the Dynamics service account.
- New services, scheduled tasks, or registry entries.
- Unusual outbound network connections.
- Altered application files or configuration files.
- Suspicious SQL activity, especially data‑reading patterns inconsistent with normal business operations.
Failed or malformed login attempts may be the delivery mechanism, so log analysis around the authentication endpoint is smart, even though valid credentials aren’t required.
What Comes Next
The next pivot point for CVE‑2026-55944 will be the appearance of exploit code or active attacks in the wild. Microsoft’s “More Likely” assessment, while not a guarantee, suggests that proof‑of‑concept material could surface soon. Given the low attack complexity and high potential payout, ransomware gangs and espionage groups are likely to add this vector to their toolkits.
Beyond this specific vulnerability, the July 2026 Patch Tuesday underscores a broader trend: business‑critical applications are becoming the soft underbelly of enterprise security. Firewalls and endpoint detection can only do so much when a single crafted HTTP request can slide past authentication and turn an ERP server into an attacker’s launchpad. The patch is out. The window is closing. For Dynamics administrators, the only responsible move is to act before someone else does it for them.