CVE-2025-64657
Published: 26 November 2025
Summary
CVE-2025-64657 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Azure Application Gateway. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-64657 is a stack-based buffer overflow vulnerability, classified under CWE-787, affecting Azure Application Gateway. Published on 2025-11-26T01:16:07.747, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
The vulnerability enables an unauthorized attacker to exploit it remotely over a network without requiring privileges, user interaction, or high complexity. Successful exploitation allows the attacker to elevate privileges, resulting in high confidentiality, integrity, and availability impacts.
Microsoft has published an update guide detailing the vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64657, which security practitioners should consult for mitigation and patching guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-199683
Vulnerability details
Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-64657 is a critical remote buffer overflow in public-facing Azure Application Gateway (T1190: Exploit Public-Facing Application), enabling unauthenticated RCE and privilege escalation (T1068: Exploitation for Privilege Escalation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack-based buffer overflow vulnerability in Azure Application Gateway through timely patching as detailed in Microsoft's update guide.
Provides memory protections such as stack canaries, DEP, and ASLR to block exploitation of the stack-based buffer overflow leading to privilege escalation.
Validates network inputs to Azure Application Gateway to restrict oversized or malformed data that could trigger the buffer overflow.