CERT-In, the Indian cybersecurity agency, has flagged critical security flaws in Microsoft 365 Copilot that could expose users to data breaches and system disruptions. The vulnerabilities, identified as CVE-2026-42827 and CVE-2026-41090, involve input validation flaws, authentication weaknesses, and command handling issues.
Potential Attack Vectors
If exploited, attackers could execute arbitrary code, steal sensitive data, cause denial-of-service attacks, or disrupt cloud services. Microsoft has acknowledged these vulnerabilities along with issues in other products like Global Secure Access, Entra ID, and Azure services, and has rolled out updates.
User Action Required
Users are strongly advised to update Microsoft 365 apps immediately via the Account > Update Options menu to mitigate risks. The updates address the critical flaws and help protect against potential exploits.
This advisory comes as part of ongoing efforts to secure widely used software platforms. Organizations and individuals using Microsoft 365 Copilot should prioritize applying the patches to ensure data security and system integrity.
