An elevation of privilege vulnerability exists when Skype for Business fails to properly handle specific authentication requests. An authenticated attacker who successfully exploited this vulnerability could steal an authentication hash that can be reused elsewhere. The attacker could then take any action that the user had permissions for, causing possible outcomes that could vary between users. To exploit the vulnerability, an attacker could invite a user to an instant message session while using a malicious profile image. The security update addresses the vulnerability by correcting how Skype for Business handles authentication requests.