CVE-2025-64663

Microsoft · Azure AI Language (Custom Question Answering)

A critical elevation of privilege vulnerability exists in the Custom Question Answering component of the Microsoft Azure AI Language service.

Executive summary

A critical elevation of privilege vulnerability in Microsoft Azure AI Language allows unauthorized users to gain elevated access levels, posing a severe risk to system integrity.

Vulnerability

This vulnerability involves a flaw in the Custom Question Answering service that permits an attacker to elevate their current privileges. The exact authentication requirements for successful exploitation remain unspecified in the current disclosure.

Business impact

Successful exploitation of this vulnerability could result in unauthorized administrative access, allowing an attacker to manipulate sensitive data or compromise the underlying cloud infrastructure. Given the critical CVSS score of 9.9, the potential for widespread service disruption and loss of data confidentiality is extremely high.

Remediation

Immediate Action: Review the official Microsoft security update portal and apply all relevant patches for the Azure AI Language service immediately.

Proactive Monitoring: Audit access logs for unusual administrative activity or spikes in privilege escalation events within the Azure environment.

Compensating Controls: Ensure the principle of least privilege is strictly enforced for all service accounts and utilize Azure Policy to restrict unauthorized configuration changes.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this vulnerability necessitates immediate attention from cloud security teams. Organizations should prioritize patching their Azure AI Language deployments to prevent potential unauthorized privilege escalation and subsequent system compromise.