Microsoft 365 PDF Export Feature Vulnerable to LFI – Sensitive Data at Risk

A critical security vulnerability in Microsoft 365’s PDF export functionality has been discovered and subsequently patched, highlighting significant risks to sensitive enterprise data.

The vulnerability, which earned its discoverer a $3,000 bounty from Microsoft’s Security Response Center (MSRC), exposed a Local File Inclusion (LFI) attack vector that could potentially compromise confidential system information across multi-tenant environments.

Discovery and Initial Investigation

The security flaw was initially uncovered during a routine client assessment when a cybersecurity researcher was analyzing a web application that featured document conversion capabilities.

The application utilized Microsoft’s official APIs to transform various document formats into PDFs through SharePoint integration.

During testing, the researcher identified an anomalous behavior that allowed unauthorized access to local system files during HTML-to-PDF conversion processes.

What made this discovery particularly significant was the revelation that the vulnerability existed within Microsoft’s core infrastructure rather than the client’s custom implementation.

The client’s development team confirmed they were merely using a wrapper around Microsoft’s official APIs, prompting the researcher to escalate the findings directly to Microsoft’s security team.

The vulnerability stemmed from an undocumented feature within Microsoft Graph APIs that enabled HTML-to-PDF conversion capabilities.

While official documentation specified supported formats, including various Microsoft Office files (doc, docx, ppt, xlsx, etc.), the system also processed HTML content without proper security controls.

Attackers could exploit this weakness by embedding specific HTML tags—including , 

The attack methodology involved three straightforward steps: uploading a crafted HTML file via Graph API, requesting PDF conversion, and downloading the resulting document containing embedded local file content.

The researcher demonstrated the vulnerability’s effectiveness by successfully extracting common system files such as web.config and win.ini files, proving the concept’s viability in real-world scenarios.

Microsoft classified the vulnerability as “Important” severity and has since implemented comprehensive remediation measures.

The four-month investigation period concluded with the $3,000 bounty award, acknowledging the researcher’s contribution to enterprise security.

Organizations using Microsoft 365 services should ensure their systems are updated with the latest security patches to protect against similar vulnerabilities.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.