A critical vulnerability, identified as CVE-2025-64656, has been discovered in an Application Gateway component used across multiple products. This flaw allows a remote, unauthenticated attacker to gain elevated privileges on an affected system, which could lead to a complete compromise of the network services protected by the gateway.

The vulnerability is an out-of-bounds read within the Application Gateway service. An unauthenticated attacker can exploit this by sending a specially crafted request over the network to the vulnerable gateway. This malicious request causes the application to read data from a memory location outside of the intended buffer, which can leak sensitive memory contents, such as pointers or credentials. An attacker can leverage this information leak in a subsequent step to bypass security controls and execute arbitrary code with elevated privileges on the system.

This vulnerability is rated as critical severity with a CVSS score of 9.4. Successful exploitation could lead to a complete system compromise, allowing an attacker to steal sensitive data, disrupt critical business operations, or use the compromised system as a pivot point to attack other internal network resources. Given that Application Gateways are often used to protect critical web applications, a breach could result in significant financial loss, reputational damage, and regulatory penalties related to data exposure.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor. Organizations should prioritize patching internet-facing systems immediately. After patching, it is crucial to monitor systems for any signs of attempted exploitation by reviewing application and system access logs for anomalous activity.

Proactive Monitoring: Implement enhanced monitoring on affected Application Gateways. Security teams should look for abnormal traffic patterns, unexpected service crashes or restarts, and logs indicating malformed requests. Intrusion Detection and Prevention Systems (IDS/IPS) should be updated with signatures specific to this threat as they become available.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Restrict network access to the management interfaces of the Application Gateway to only trusted IP addresses and administrative networks. Deploy a Web Application Firewall (WAF) or an IPS in front of the gateway to inspect and block malicious traffic patterns designed to trigger this vulnerability.

Public Exploit Available: false

Given the critical CVSS score of 9.4 and the risk of a full system compromise by an unauthenticated attacker, we strongly recommend immediate action. Organizations must prioritize the identification of all vulnerable assets and apply the vendor-provided patches without delay. While this vulnerability is not yet on the CISA KEV list, its severity warrants treating it as an imminent threat. If patching is delayed for any reason, the compensating controls outlined above must be implemented as an urgent temporary measure.