Cyber Posture

CVE-2025-59503

Critical

Published: 23 October 2025

Published
23 October 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0020 41.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

Security Summary

CVE-2025-59503 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Azure Compute Gallery. Published on 2025-10-23T22:15:48.547, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its network accessibility, low complexity, lack of prerequisite privileges or user interaction, scope change, and high impacts across confidentiality, integrity, and availability.

An unauthorized attacker can exploit this SSRF vulnerability remotely over a network without prior access, enabling privilege elevation on the affected Azure Compute Gallery component.

The Microsoft Security Response Center advisory provides guidance on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59503.

Details

CWE(s)
CWE-918

Affected Products

microsoft
azure compute resource provider
all versions

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

SSRF vulnerability in public-facing Azure Compute Gallery (T1190) directly enables remote exploitation without authentication, facilitating privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References