CVE-2026-55944: Critical Unauthenticated RCE Hits Microsoft Dynamics NAV and Business Central On Premises
AK
Alex Kim Threat intelligence editor · Updated Jul 15, 2026, 4:55 PM EDT
CVE-2026-55944: Critical Unauthenticated RCE Hits Microsoft Dynamics NAV and Business Central On Premises
A critical unauthenticated remote code execution flaw in Microsoft Dynamics NAV and on-premises Dynamics 365 Business Central lets attackers seize control of ERP servers with a single crafted login request. Tracked as CVE-2026-55944, the bug scores CVSS 3.1 9.8 and carries Microsoft’s “Exploitation More Likely” rating. Patched in the record-volume July 2026 Patch Tuesday cycle, it puts finance, supply-chain, and operations systems at immediate risk wherever login endpoints remain reachable.
Security teams running on-premises Dynamics deployments should inventory exposed instances, apply the July updates, and lock down authentication paths before scanners fully weaponize the issue.
How the Attack Works
The root cause is deserialization of untrusted data (CWE-502). An attacker sends a specially crafted login request over the network to an affected Dynamics NAV or Business Central (On Premises) server. The authentication-facing path accepts attacker-controlled serialized data and deserializes it unsafely, allowing arbitrary code execution inside the server process.
No credentials are required. No user interaction is required. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H—network-accessible, low complexity, and full impact on confidentiality, integrity, and availability. Successful exploitation typically yields complete compromise of the ERP host, enabling data theft, fraudulent transactions, ransomware staging, and lateral movement into Active Directory, SQL, and adjacent finance systems.
B
Code Execution on ERP Host
Data theft / Ransomware
Lateral move to AD / SQL
Attacker] -->|Crafted login request| B[NAV / BC Login Path
This class of flaw is especially dangerous on ERP platforms because those hosts concentrate high-value business data and often sit in relatively trusted network segments.
Affected Products and Exposure
Public advisories consistently scope CVE-2026-55944 to:
Microsoft Dynamics NAV
Microsoft Dynamics 365 Business Central (On Premises)
Cloud (SaaS) Business Central is not described as affected in current public summaries. Organizations with hybrid connectors should still verify residual exposure through Microsoft 365 admin channels and partner notices rather than assuming zero risk.
Version detail available from secondary trackers includes an example for Dynamics NAV 2018: builds ≥ 1.0 and < 11.0.50704.0 are affected; the fix lands at 11.0.50704.0 and later. The complete matrix of Business Central cumulative updates and additional NAV years is published in Microsoft’s Security Update Guide entry for the CVE. Administrators must compare live build numbers against that table before declaring systems clean.
Product
Scope
Example Fixed Build (NAV 2018)
Dynamics NAV
On premises
11.0.50704.0+
Dynamics 365 Business Central
On Premises only
Per MSRC CU matrix
Business Central SaaS
Not listed as affected
N/A — confirm hybrid edges
High-risk exposure includes any production, DR, UAT, or partner-hosted instance with login, SOAP, OData, web client, or related client-service ports reachable from the internet or from flat internal networks. Temporary staging servers left internet-facing after testing are frequent blind spots.
Official Patches and Advisory Details
Microsoft released fixes as part of the July 2026 security updates—the record-volume July 2026 Patch Tuesday, addressing roughly 569–570 CVEs in Microsoft’s own accounting (some third-party tallies run higher). CVE-2026-55944 is rated Critical with an exploitability index of Exploitation More Likely. It is not one of the three zero-days Microsoft highlighted that month (the actively exploited AD FS CVE-2026-56155 and SharePoint CVE-2026-56164 issues, plus a publicly disclosed BitLocker bypass).
No detailed, vendor-endorsed non-patch workaround has been widely reproduced in secondary analyses. The authoritative remediation path remains the July 2026 Dynamics NAV / Business Central on-premises updates listed under the CVE in the Microsoft Security Update Guide. After installation, verify service health, ERP client connectivity, and that the running build meets or exceeds the fixed version for each product line. Restart services only according to Microsoft’s guidance for the specific cumulative update.
National and industry advisories, including Singapore’s Cyber Security Agency monthly patch bulletin, list the Dynamics RCE among the critical July fixes that organizations should prioritize.
Exploitation Status
As of mid-July 2026:
No confirmed public proof-of-concept exploit has surfaced in major Patch Tuesday coverage or CVE trackers.
The CVE does not appear on the CISA Known Exploited Vulnerabilities catalog.
No confirmed in-the-wild exploitation has been reported for this specific flaw (in contrast to the month’s AD FS and SharePoint zero-days).
That calm will not last indefinitely. Unauthenticated network RCE against ERP systems that hold general ledgers, payroll, inventory, and customer PII is high-value initial access for ransomware and data-theft crews. Microsoft’s “More Likely” rating, combined with the simplicity of a login-path trigger, makes rapid scanner development and eventual weaponization a realistic expectation. Predictive risk models already flag elevated near-term interest. Defenders should assume opportunistic scanning of internet-reachable Dynamics login endpoints will accelerate after disclosure.
Remediation and Temporary Mitigations
Patching is the primary fix. When change windows cannot be immediate, reduce the attack surface aggressively:
Priority
Action
Goal
1
Inventory every on-premises NAV/BC server (prod, DR, UAT, partner-hosted, staging) and apply July 2026 updates; confirm fixed builds
Eliminate the vulnerable code path
2
Remove public exposure of login, client-service, SOAP, OData, and management ports; restrict to VPN, Zero Trust, or jump hosts; allow-list partner IPs only
Block unauthenticated network reachability
3
Update IDS/IPS with post–July 14 vendor packs; harden least-privilege service accounts; ensure EDR process-creation alerts on NAV/BC accounts
Detect pre- and post-exploitation activity
4
Hunt anomalous login traffic, ERP processes spawning shells or PowerShell, new scheduled tasks/services, and lateral auth from ERP hosts into AD/SQL
Catch early compromise
5
Validate offline, tested backups of ERP databases and application servers; segment ERP from general user VLANs long term
Ensure recovery and limit blast radius
No rich public IoC set or Microsoft AMSI-style temporary guidance comparable to the month’s SharePoint zero-day has been published for this CVE. Network isolation remains the strongest compensating control until every instance is patched.
Business Impact and ERP Lessons
A compromised Dynamics host can yield full ERP data theft (GL, AP/AR, payroll, inventory, contracts, PII), fraudulent postings, ransomware encryption, production outages, and lateral movement into SQL and Active Directory. Unauthenticated RCE on finance systems is prime initial access for double-extortion operators and can trigger breach-notification duties, financial-reporting integrity concerns, SLA breaches, and cyber-insurance friction if a disclosed critical CVE is left unpatched. Industry prioritization has placed CVE-2026-55944 immediately after the actively exploited identity and collaboration zero-days precisely because ERP compromise threatens the books.
Login-adjacent code paths remain high-risk even in mature enterprise products. ERP platforms concentrate finance, supply chain, and identity-adjacent trust—they are not just another app server. Compensating architecture (no public ERP login, strict partner access, segmentation) buys time when cumulative-update testing cannot be instantaneous. Pair every patch cycle with detection tuned for deserialization-friendly .NET stacks and anomalous process trees on ERP service accounts.
What Defenders Should Do Now
Confirm whether any Dynamics NAV or Business Central (On Premises) instance is in scope. Pull the live Microsoft Security Update Guide table for CVE-2026-55944, map every build, and schedule the July updates without waiting for the next planned maintenance window if the host is network-reachable. Until the patch is verified, keep login endpoints off the public internet and under continuous monitoring. The window between disclosure and widespread weaponization is short for an unauthenticated CVSS 9.8 RCE on systems that hold the books.