Here is what is officially known about CVE-2025-32711, the M365 Copilot Information Disclosure Vulnerability:
Type: Information Disclosure via AI Command Injection
Product: Microsoft 365 Copilot
Impact: An unauthorized attacker can disclose information over a network by exploiting the way Copilot handles AI commands.
Exploit: Attackers might craft prompts that manipulate Copilot to reveal information it was not supposed to share, potentially including organizational data or personal information.
Microsoft Status: Microsoft is tracking this as a confirmed vulnerability and will be releasing or has released security updates or mitigations. For the latest, always refer to Microsoft's official security guidance: MSRC CVE-2025-32711.
Security Guidance:
If you are an admin for M365 Copilot, review and apply all available security updates.
Educate users about prompt-based threats and restrict access as appropriate.
Consider implementing Data Loss Prevention (DLP) and Sensitivity Labeling to add an additional layer of protection.
Monitor Microsoft’s security update guide for remediation or patch information.