Information Disclosure Vulnerability in Microsoft 365 Copilot
CVE-2025-32711

9.3CRITICAL

Key Information:

Vendor

Microsoft
Status
Microsoft 365 Copilot
Vendor
CVE Published:
11 June 2025

Badges

📈 Trended📈 Score: 2,010📰 News Worthy

What is CVE-2025-32711?

CVE-2025-32711 is an information disclosure vulnerability identified within Microsoft 365 Copilot, a tool designed to enhance productivity by integrating artificial intelligence capabilities into Microsoft Office applications. This vulnerability stems from an AI command injection flaw, which could enable unauthorized attackers to extract sensitive information over a network. The critical nature of this vulnerability lies in its potential to bypass security measures and expose confidential data, affecting organizations' data integrity and privacy. As Microsoft 365 is widely utilized across various sectors for collaboration and document management, the implications of this vulnerability could be significant, especially in environments where sensitive information is routinely handled.

Potential impact of CVE-2025-32711

  1. Unauthorized Information Disclosure: The vulnerability allows unauthorized attackers to access sensitive information that may include personally identifiable information (PII), financial data, or proprietary business information. This could lead to severe privacy violations and expose organizations to legal repercussions.

  2. Compromise of User Trust: Organizations affected by this vulnerability may face loss of trust from customers and partners due to the potential for data breaches. A publicized incident could damage an organization's reputation and lead to decreased customer confidence in their data handling practices.

  3. Operational Disruption: The ability to exploit this vulnerability could enable attackers to manipulate or alter the information being shared within an organization, leading to misinformation or disruptions in workflows. Such operational challenges can have downstream effects on productivity and organizational efficiency.

Affected Version(s)

Microsoft 365 Copilot Unknown

News Articles

favicon imageTechRepublic

First Known Zero-Click AI Exploit: Microsoft 365 Copilot's 'EchoLeak' Flaw

Security researchers uncovered “EchoLeak,” a zero-click flaw in Microsoft 365 Copilot, exposing sensitive data without user action. Microsoft has mitigated the vulnerability.

3 weeks ago

favicon imageSecurityWeek

‘EchoLeak’ AI Attack Enabled Theft of Sensitive Data via Microsoft 365 Copilot

Microsoft recently patched CVE-2025-32711, a vulnerability that could have been used for zero-click attacks to steal data from Copilot.

3 weeks ago

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-32711 : Information Disclosure Vulnerability in Microsoft 365 Copilot