A critical vulnerability, identified as CVE-2025-65037, has been discovered in Microsoft Azure Container Apps. This flaw allows an unauthorized attacker on the internet to inject and execute malicious code, potentially leading to a complete compromise of the affected containerized applications and underlying systems. Due to the critical severity (CVSS 10) and the potential for full system takeover, immediate remediation is strongly advised.

This vulnerability is an improper control of code generation, commonly known as a code injection flaw. An unauthenticated remote attacker can send specially crafted data over the network to a vulnerable Azure Container App instance. The service fails to properly sanitize this input, allowing the attacker's data to be interpreted and executed as code, leading to remote code execution (RCE) with the privileges of the containerized application. Exploitation requires no user interaction or prior access, making it a highly critical and easily exploitable vulnerability.

This vulnerability is rated as critical severity with a CVSS score of 10, representing the highest possible risk. Successful exploitation could lead to a complete compromise of the confidentiality, integrity, and availability of the affected applications and their data. Potential consequences include theft of sensitive data, deployment of ransomware, complete service disruption, and the ability for an attacker to use the compromised environment as a foothold to move laterally within the organization's cloud infrastructure. The business risks include significant financial loss, severe reputational damage, and potential regulatory penalties.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately. All instances of Microsoft Azure Container Apps should be updated to the latest patched version as per the vendor's advisory. Following the update, organizations should actively monitor for any signs of post-patch exploitation attempts and review historical access and application logs for indicators of compromise.

Proactive Monitoring: Implement enhanced monitoring on Azure Container App environments. Security teams should look for unusual outbound network traffic, unexpected processes or commands being executed within containers, anomalous API calls, and suspicious modifications to container configurations. Review application and ingress controller logs for malformed requests or error patterns that could indicate exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. This includes enforcing strict network security policies to limit ingress and egress traffic to only known-good sources and destinations. Deploying a Web Application Firewall (WAF) with rules designed to detect and block code injection patterns can also provide an additional layer of defense.

Public Exploit Available: False

Due to the critical nature of CVE-2025-65037, we recommend that organizations treat this as a top-priority security issue. The potential for unauthenticated remote code execution presents a severe risk to the entire cloud environment. The primary course of action must be to apply the vendor-supplied patches across all affected Azure Container Apps instances without delay. While this vulnerability is not yet on the CISA KEV list, its severity makes it a prime candidate for future inclusion and an attractive target for attackers. Organizations must act now to patch, monitor, and secure their environments against this threat.