A critical vulnerability, identified as CVE-2025-64657, has been discovered in multiple products utilizing the Azure Application Gateway. This flaw allows a remote, unauthenticated attacker to execute arbitrary code and gain elevated privileges, potentially leading to a complete compromise of the affected system. Due to its critical severity and the potential for network-based exploitation, this vulnerability poses a significant and immediate risk to data confidentiality, integrity, and availability.

This vulnerability is a stack-based buffer overflow within the Azure Application Gateway component. An unauthenticated attacker can exploit this flaw by sending a specially crafted network request to a vulnerable gateway. The request contains more data than the target buffer on the stack can handle, causing the excess data to overwrite adjacent memory, including critical control data like the function's return address. By carefully crafting the oversized input, an attacker can redirect the program's execution flow to malicious code (shellcode) they have supplied, allowing them to execute arbitrary commands with the privileges of the application gateway process, leading to privilege escalation.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete system compromise, granting an attacker administrative-level control over the application gateway. The business impact is severe, potentially resulting in the exfiltration of sensitive data transiting the gateway, manipulation of traffic, and widespread service disruption. A compromised gateway could also serve as a pivot point for attackers to launch further attacks against the internal network, significantly expanding the breach. The potential consequences include major data breaches, financial loss, reputational damage, and regulatory penalties.

Immediate Action: The primary remediation is to apply vendor-supplied security updates immediately. Organizations must identify all instances of the affected products and update them to the latest patched version as a top priority. In parallel, security teams should begin actively monitoring for signs of exploitation by reviewing access logs and network traffic for any anomalous activity targeting the application gateways.

Proactive Monitoring: Implement enhanced monitoring on all Azure Application Gateways. Security teams should look for:

• Logs: Review application gateway and web server logs for unusually long or malformed requests, unexpected service crashes, or restarts.
• Network Traffic: Utilize Intrusion Detection/Prevention Systems (IDS/IPS) to monitor for network traffic patterns consistent with buffer overflow attempts. Look for abnormally large packets or payloads directed at the gateway.
• System Behavior: Monitor for the creation of unauthorized high-privilege accounts, unexpected outbound network connections from the gateway, or the execution of suspicious processes.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Deploy a Web Application Firewall (WAF) in front of the Application Gateway with strict rules to inspect and block malformed or malicious requests.
• Restrict access to the management interfaces of the gateway to a limited set of trusted IP addresses.
• Enhance network segmentation to isolate the application gateway, limiting an attacker's ability to move laterally if the system is compromised.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of CVE-2025-64657, this vulnerability requires immediate attention. We strongly recommend that all organizations identify and patch affected systems with the highest priority. Although this CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, its characteristics make it a prime candidate for future inclusion. Organizations should assume they will be targeted and proceed with patching and implementing the recommended monitoring and compensating controls without delay to prevent a potential system compromise.