VDB
CVE-2025-59286
CVE-2025-59286
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to disclose information over a network.
EPSS 0.11% · 28.7th percentile
Risk Scores
CVSS v3.1
9.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C
EPSS Score
0.11%
28.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Microsoft 365 Copilot's Business Chat | - |
| microsoft | 365_copilot_chat | |
| microsoft | 365_copilot_business_chat | - |
Timeline
- Oct 9, 2025 CVE Published
- Oct 9, 2025 PoC Published
- Oct 10, 2025 EPSS Score
- Oct 14, 2025 PoC Published
- Oct 16, 2025 EPSS Score
- Oct 22, 2025 EPSS Score
- Oct 29, 2025 EPSS Score
- Nov 4, 2025 EPSS Score
- Nov 10, 2025 EPSS Score
- Nov 16, 2025 EPSS Score
- Nov 23, 2025 EPSS Score
- Nov 23, 2025 PoC Published
References
- Copilot Information Disclosure Vulnerability vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-59286 advisory