Microsoft has addressed three significant security vulnerabilities impacting Dynamics 365 and the Power Apps Web API, following disclosures from Australian cybersecurity firm Stratus Security. The flaws, which were quietly patched in May 2024, involved weaknesses in both the OData Web API Filter and the FetchXML API. If exploited, these issues could have allowed unauthorized access to sensitive customer data stored within enterprise CRM environments.

The most critical vulnerability stemmed from missing access controls in the OData Web API Filter, enabling attackers to query the contacts table without proper authorization. This table often contains highly sensitive information, including names, phone numbers, physical addresses, financial data, and even password hashes. Researchers demonstrated that attackers could perform boolean‑based searches to extract password hashes one character at a time, significantly increasing the risk of credential compromise.

A second flaw in the same OData filter allowed threat actors to manipulate the orderby clause to enumerate data and infer database structure. This type of vulnerability is particularly dangerous because it enables stealthy, incremental data harvesting without triggering obvious alerts. Meanwhile, a third issue in the FetchXML API exposed internal metadata and database information, providing attackers with additional insight into the underlying environment.

Microsoft issued patches for all three vulnerabilities in May 2024, months before the public disclosure. While there is no evidence of active exploitation, the nature of the flaws highlights the ongoing challenges of securing complex SaaS platforms. Organizations relying on Dynamics 365 and Power Apps are urged to ensure their systems are fully updated, review API access logs for anomalies, and validate that least‑privilege access controls are properly enforced.

These disclosures underscore a broader trend in which attackers increasingly target APIs and cloud‑based business platforms. As enterprises continue to centralize sensitive data within interconnected SaaS ecosystems, API‑level security has become a critical component of modern cybersecurity strategy. The incident serves as a reminder that even mature platforms require continuous scrutiny to prevent unauthorized access and data exposure.