CVE-2025-64656
Published: 26 November 2025
Description
Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read vulnerability in Application Gateway through timely patching as specified in the vendor advisory.
Implements memory protections such as non-executable memory and address randomization to block exploitation of the out-of-bounds read for privilege escalation.
Validates network inputs to Application Gateway to restrict malformed data that triggers the out-of-bounds read vulnerability.
Security SummaryAI
CVE-2025-64656 is an out-of-bounds read vulnerability (CWE-125) in Application Gateway. Published on 2025-11-26, it carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts with low availability disruption.
An unauthorized attacker can exploit this vulnerability remotely over a network with low complexity and no required privileges or user interaction. Successful exploitation allows privilege elevation, enabling high-level compromise of confidentiality and integrity, with limited availability effects.
For mitigation details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64656.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a high-severity out-of-bounds read in public-facing Application Gateway, exploitable remotely without privileges, enabling privilege escalation and high confidentiality/integrity impacts, directly mapping to exploitation of public-facing applications and for privilege escalation.