CVE-2025-32711

M365 Copilot Information Disclosure Vulnerability

CVSS 9.3 CRITICALEPSS 5.8%CWE-74

Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C

Affected products

Microsoft · Microsoft 365 Copilot

public PoCs found — 3

githubgithub.com/daryllundy/cve-2025-32711★ 3 githubgithub.com/TreRB/markdown-exfil-tester★ 0 githubgithub.com/Danielossai12/aisecplus-week01-danielossai★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711 https://www.aim.security/lp/aim-labs-echoleak-m365