CVE-2025-64656 – This vulnerability allows an unauthorized attac... (How to Fix)

Q: What is the severity of CVE-2025-64656?

CVE-2025-64656 has a CVSS score of 9.4 (CRITICAL). This vulnerability allows an unauthorized attacker to perform an out-of-bounds read in Application Gateway, potentially leading to privilege escalation over a network. Organizations using Microsoft Application Gateway are affected, particularly those with internet-facing deployments.

📋 TL;DR

This vulnerability allows an unauthorized attacker to perform an out-of-bounds read in Application Gateway, potentially leading to privilege escalation over a network. Organizations using Microsoft Application Gateway are affected, particularly those with internet-facing deployments.

💻 Affected Systems

Products:

Microsoft Application Gateway

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows Server, Linux (if applicable)

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected Application Gateway versions are vulnerable in default configurations.

📦 What is this software?

Azure Application Gateway by Microsoft

View all CVEs affecting Azure Application Gateway →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, data exfiltration, and lateral movement across the network.

🟠

Likely Case

Information disclosure leading to credential theft or configuration data exposure, enabling further attacks.

🟢

If Mitigated

Limited impact due to network segmentation and proper access controls, potentially only affecting isolated components.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access but no authentication, though specific conditions may be needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific version

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64656

Restart Required: Yes

Instructions:

1. Review Microsoft Security Advisory. 2. Apply the latest security update for Application Gateway. 3. Restart the Application Gateway service. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Application Gateway to trusted sources only.

Use firewall rules to limit inbound traffic to specific IP ranges.

Disable Unnecessary Features

all

Turn off any non-essential Application Gateway features to reduce attack surface.

Review and disable unused modules or configurations in Application Gateway settings.

🧯 If You Can't Patch

Implement strict network access controls and monitor for suspicious activity.
Isolate the Application Gateway in a segmented network zone with limited trust.

🔍 How to Verify

Check if Vulnerable:

Check the Application Gateway version against the patched version listed in the Microsoft advisory.

Check Version:

Get-ApplicationGatewayVersion (PowerShell) or equivalent command for your deployment.

Verify Fix Applied:

Confirm the Application Gateway version matches or exceeds the patched version after update.

📡 Detection & Monitoring

Log Indicators:

Unusual out-of-bounds read errors in Application Gateway logs
Failed authentication attempts from unexpected sources

Network Indicators:

Anomalous network traffic patterns to Application Gateway ports
Unexpected data exfiltration attempts

SIEM Query:

source="ApplicationGateway" AND (error="out-of-bounds" OR event="privilege escalation")

📊 Metadata

CVE ID: CVE-2025-64656

CVSS v3 Score: 9.4 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-125

EPSS Score: 0.11% exploit probability (29.8th percentile)

Published: November 26, 2025

Last Updated: December 8, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64656 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64656, you might also want to check these: