At a glance: Microsoft 365 Copilot contains multiple remotely exploitable vulnerabilities that allow unauthenticated attackers to perform privilege escalation, command injection, and data access.
The German Federal Office for Information Security (BSI) has documented multiple vulnerabilities in Microsoft 365 Copilot that can be exploited by unauthenticated attackers. The flaws enable privilege escalation, command injection, data manipulation, and disclosure of confidential information.
The BSI warns in Security Advisory WID-SEC-2026-2020 of multiple vulnerabilities in Microsoft 365 Copilot that can be exploited remotely. Through these flaws, anonymous attackers can access affected systems without prior authentication.
The threat landscape encompasses four attack scenarios: First, elevation of privileges to operate with enhanced rights within the system. Second, execution of command injection attacks that enable control over system execution. Third, manipulation of data in Microsoft 365 environments, and fourth, extraction of confidential information, such as data from documents or storage.
CISOs should conduct a risk analysis to determine whether and to what extent Microsoft 365 Copilot is deployed in their own infrastructure. Depending on the maturity level and network segmentation, these vulnerabilities can serve as a direct entry point for attackers. The BSI is expected to provide additional technical details and remediation options shortly.
Source: wid.cert-bund.de · Published June 22, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.7.1.