Introduction
Sensitive business data processed through Microsoft 365 Copilot BizChat could be exposed to unauthorized parties due to a newly disclosed vulnerability. With a CVSS score of 8.2, this issue underscores the risks inherent in integrating AI-driven collaboration tools with enterprise data sources.
Technical Information
CVE-2025-53787 is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). This classification indicates that the vulnerability involves insufficient sanitization of user-supplied input, which could be interpreted as part of a command by the underlying system. In the context of Microsoft 365 Copilot BizChat, this could allow an attacker to craft input that is executed as a command, potentially resulting in unauthorized disclosure of sensitive information.
No public code snippets, exploitation flows, or root cause details are available as of August 7, 2025. The vulnerability is similar in classification to the EchoLeak (CVE-2025-32711) issue, which exploited prompt injection and LLM scope violations in Microsoft 365 Copilot. However, no direct exploitation details for CVE-2025-53787 have been published.
Affected Systems and Versions
- Product: Microsoft 365 Copilot BizChat
- Specific affected versions: Not disclosed in public sources as of August 7, 2025
- Vulnerable configurations: Not specified
Vendor Security History
Microsoft has experienced several notable vulnerabilities in its AI and collaboration platforms in 2025. The EchoLeak zero-click vulnerability (CVE-2025-32711) affected Microsoft 365 Copilot and demonstrated the risks of prompt injection and LLM scope violations. Microsoft typically issues rapid server-side patches for critical vulnerabilities and maintains a regular Patch Tuesday cycle. The company collaborates with external security researchers and has a mature vulnerability disclosure process, but the pace of AI-related vulnerability discovery continues to challenge established security models.