CVE-2025-64663 – This CVE describes an elevation of privilege vu... (How to Fix)

Q: What is the severity of CVE-2025-64663?

CVE-2025-64663 has a CVSS score of 9.9 (CRITICAL). This CVE describes an elevation of privilege vulnerability in Microsoft's Custom Question Answering service. Attackers can exploit this to gain unauthorized administrative access to affected systems. Organizations using Microsoft's Custom Question Answering service are potentially affected.

📋 TL;DR

This CVE describes an elevation of privilege vulnerability in Microsoft's Custom Question Answering service. Attackers can exploit this to gain unauthorized administrative access to affected systems. Organizations using Microsoft's Custom Question Answering service are potentially affected.

💻 Affected Systems

Products:

Microsoft Custom Question Answering

Versions: Specific versions not publicly detailed in initial advisory

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Custom Question Answering enabled; exact version details should be checked against Microsoft's advisory.

📦 What is this software?

Azure Language by Microsoft

View all CVEs affecting Azure Language →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, access sensitive data, and maintain persistent access to the environment.

🟠

Likely Case

Unauthorized administrative access to the Custom Question Answering service, potentially leading to data exfiltration or service disruption.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege access controls, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

CWE-918 (Server-Side Request Forgery) suggests potential for chained attacks; exploitation likely requires some initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64663

Restart Required: Yes

Instructions:

1. Review Microsoft Security Update Guide for CVE-2025-64663. 2. Apply the latest security updates for Custom Question Answering. 3. Restart affected services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Custom Question Answering services to only trusted sources.

Access Control Hardening

all

Implement strict least privilege access controls and monitor for unusual administrative activity.

🧯 If You Can't Patch

Isolate affected systems from critical networks and internet access
Implement enhanced monitoring and alerting for suspicious administrative activities

🔍 How to Verify

Check if Vulnerable:

Check your Custom Question Answering service version against Microsoft's patched versions in their advisory.

Check Version:

Check through Azure portal or deployment configuration for Custom Question Answering version

Verify Fix Applied:

Verify the service version matches or exceeds the patched version specified by Microsoft.

📡 Detection & Monitoring

Log Indicators:

Unusual administrative access patterns
Unexpected privilege escalation events
SSRF-related request patterns

Network Indicators:

Anomalous outbound requests from Custom Question Answering service
Unexpected internal service communication

SIEM Query:

source="CustomQuestionAnswering" AND (event_type="privilege_escalation" OR action="admin_access")

📊 Metadata

CVE ID: CVE-2025-64663

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-918

EPSS Score: 0.08% exploit probability (23.9th percentile)

Published: December 18, 2025

Last Updated: January 16, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64663 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64663, you might also want to check these: