CVE-2025-64656

Critical

Published: 26 November 2025

Published

26 November 2025

Modified

08 December 2025

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0013 31.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64656 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Azure Application Gateway. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds read vulnerability in Application Gateway through timely patching as specified in the vendor advisory.

SI-16 Memory Protection good match

prevent

Implements memory protections such as non-executable memory and address randomization to block exploitation of the out-of-bounds read for privilege escalation.

SI-10 Information Input Validation partial match

prevent

Validates network inputs to Application Gateway to restrict malformed data that triggers the out-of-bounds read vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE describes a high-severity out-of-bounds read in public-facing Application Gateway, exploitable remotely without privileges, enabling privilege escalation and high confidentiality/integrity impacts, directly mapping to exploitation of public-facing applications and for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network.

Deeper analysisAI

CVE-2025-64656 is an out-of-bounds read vulnerability (CWE-125) in Application Gateway. Published on 2025-11-26, it carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts with low availability disruption.

An unauthorized attacker can exploit this vulnerability remotely over a network with low complexity and no required privileges or user interaction. Successful exploitation allows privilege elevation, enabling high-level compromise of confidentiality and integrity, with limited availability effects.

For mitigation details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64656.

Details

CWE(s): CWE-125

Affected Products

microsoft

azure application gateway

all versions

CVEs Like This One

CVE-2025-64657Same product: Microsoft Azure Application Gateway

CVE-2026-26153Same vendor: Microsoft

CVE-2026-32076Same vendor: Microsoft

CVE-2026-25175Same vendor: Microsoft

CVE-2026-25174Same vendor: Microsoft

CVE-2025-49687Same vendor: Microsoft

CVE-2026-23672Same vendor: Microsoft

CVE-2026-23673Same vendor: Microsoft

CVE-2025-48822Same vendor: Microsoft

CVE-2026-20944Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64656
Vendor Advisory · secure@microsoft.com