CVE-2017-11786

high

Published 2017-10-13 · Modified 2026-05-13

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

9.3

VIR risk

8.8

Description

Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2016 allows an attacker to steal an authentication hash that can be reused elsewhere, due to how Skype for Business handles authentication requests, aka "Skype for Business Elevation of Privilege Vulnerability."

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secure@microsoft.com — https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786

Application impact

Vendor	Product	Versions	Fixed
microsoft	lync	`2013`
microsoft	skype_for_business	`2016`

References

http://www.securityfocus.com/bid/101156
http://www.securitytracker.com/id/1039530
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786
http://www.securityfocus.com/bid/101156
http://www.securitytracker.com/id/1039530
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11786

CWEs

CWE-294

Verify integrity in audit chain (admin only). AS-IS.