CVE-2025-64657
Published: 26 November 2025
Description
Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow vulnerability in Azure Application Gateway through timely patching as detailed in Microsoft's update guide.
Provides memory protections such as stack canaries, DEP, and ASLR to block exploitation of the stack-based buffer overflow leading to privilege escalation.
Validates network inputs to Azure Application Gateway to restrict oversized or malformed data that could trigger the buffer overflow.
Security SummaryAI
CVE-2025-64657 is a stack-based buffer overflow vulnerability, classified under CWE-787, affecting Azure Application Gateway. Published on 2025-11-26T01:16:07.747, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
The vulnerability enables an unauthorized attacker to exploit it remotely over a network without requiring privileges, user interaction, or high complexity. Successful exploitation allows the attacker to elevate privileges, resulting in high confidentiality, integrity, and availability impacts.
Microsoft has published an update guide detailing the vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64657, which security practitioners should consult for mitigation and patching guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-64657 is a critical remote buffer overflow in public-facing Azure Application Gateway (T1190: Exploit Public-Facing Application), enabling unauthenticated RCE and privilege escalation (T1068: Exploitation for Privilege Escalation).