Here is what is officially known about CVE-2025-32711, the M365 Copilot Information Disclosure Vulnerability:
- Type: Information Disclosure via AI Command Injection
- Product: Microsoft 365 Copilot
- Impact: An unauthorized attacker can disclose information over a network by exploiting the way Copilot handles AI commands.
- Exploit: Attackers might craft prompts that manipulate Copilot to reveal information it was not supposed to share, potentially including organizational data or personal information.
- Microsoft Status: Microsoft is tracking this as a confirmed vulnerability and will be releasing or has released security updates or mitigations. For the latest, always refer to Microsoft's official security guidance: MSRC CVE-2025-32711.
- If you are an admin for M365 Copilot, review and apply all available security updates.
- Educate users about prompt-based threats and restrict access as appropriate.
- Consider implementing Data Loss Prevention (DLP) and Sensitivity Labeling to add an additional layer of protection.
- Monitor Microsoft’s security update guide for remediation or patch information.
Source: MSRC Security Update Guide - Microsoft Security Response Center