Kostenlos scannen
CRITICALCVE-2025-64663CVSS 9.9

Custom Question Answering Elevation of Privilege Vulnerability

Plattform

azure

Komponente

cognitive-service-for-language

Behoben in

2.5.4

AI Confidence: highNVDEPSS 0.1%Geprüft: Mai 2026
Auf NVD ansehen
Speichern

CVE-2025-64663 describes a critical elevation of privilege vulnerability affecting Azure Cognitive Service for Language. This flaw allows attackers to gain unauthorized access and potentially modify data within the service. The vulnerability impacts versions 1.0.0 and earlier, with a fix available in version 2.5.4. Prompt patching is strongly recommended to mitigate the risk.

Auswirkungen und Angriffsszenarien

The elevation of privilege vulnerability in Azure Cognitive Service for Language allows an attacker to bypass access controls and perform actions they are not authorized to do. This could involve reading sensitive data, modifying existing data, or even creating new data with elevated permissions. A successful exploit could lead to significant data breaches, compromise the integrity of the service, and potentially impact downstream applications relying on the Cognitive Service. The potential blast radius extends to any application or user accessing data processed by the vulnerable service, making it a high-priority security concern. This type of privilege escalation is particularly dangerous in cloud environments where access controls are critical for maintaining data security and compliance.

Ausnutzungskontext

CVE-2025-64663 was publicly disclosed on December 18, 2025. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the severity of the vulnerability warrants immediate attention. It is not currently listed on the CISA KEV catalog, but its criticality suggests it may be added in the future. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.

Wer Ist Gefährdetwird übersetzt…

Organizations heavily reliant on Azure Cognitive Service for Language for processing sensitive data, particularly those using older versions (1.0.0 and earlier), are at significant risk. Those with complex access control configurations or those who have not implemented robust RBAC policies are also more vulnerable.

Erkennungsschrittewird übersetzt…

• azure: Review Azure Activity Logs for suspicious API calls related to the Cognitive Service for Language, specifically focusing on attempts to bypass access controls. • azure: Use Azure Security Center to monitor for unusual user activity and privilege escalation attempts. • generic web: Monitor network traffic to and from the Cognitive Service endpoint for unexpected patterns or unauthorized requests. • generic web: Review application logs for errors or anomalies that might indicate an attempted exploit.

Angriffszeitlinie

  1. Disclosure

    disclosure

Bedrohungsanalyse

Exploit-Status

Proof of ConceptUnbekannt
CISA KEVNO
Internet-ExponierungHoch

EPSS

0.06% (18% Perzentil)

CISA SSVC

Ausnutzungnone
Automatisierbarno
Technische Auswirkungtotal

CVSS-Vektor

BEDROHUNGSANALYSE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C9.9CRITICALAttack VectorNetworkWie der Angreifer das Ziel erreichtAttack ComplexityLowBedingungen zur erfolgreichen AusnutzungPrivileges RequiredLowErforderliche AuthentifizierungsstufeUser InteractionNoneOb ein Opfer eine Aktion ausführen mussScopeChangedAuswirkungen über die Komponente hinausConfidentialityHighRisiko der Offenlegung sensibler DatenIntegrityHighRisiko nicht autorisierter DatenänderungAvailabilityHighRisiko der Dienstunterbrechungnextguardhq.com · CVSS v3.1 Basis-Score
Was bedeuten diese Metriken?
Attack Vector
Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
Attack Complexity
Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
Privileges Required
Niedrig — jedes gültige Benutzerkonto ist ausreichend.
User Interaction
Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
Scope
Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
Confidentiality
Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
Integrity
Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
Availability
Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.

Betroffene Software

Komponentecognitive-service-for-language
HerstellerMicrosoft
Betroffener BereichBehoben in
- – -

Schwachstellen-Klassifikation (CWE)

CWE-918

Zeitleiste

  1. Reserviert
  2. Veröffentlicht
  3. Geändert
  4. EPSS aktualisiert

Mitigation und Workarounds

The primary mitigation for CVE-2025-64663 is to upgrade Azure Cognitive Service for Language to version 2.5.4 or later. If immediate upgrade is not feasible, consider implementing stricter access controls and monitoring for suspicious activity. Specifically, review and tighten IAM (Identity and Access Management) policies to limit the permissions granted to users and applications accessing the Cognitive Service. Implement network segmentation to isolate the service from other critical systems. While a direct WAF rule is unlikely, monitor API request patterns for unusual behavior indicative of privilege escalation attempts. After upgrading, verify the fix by attempting to access resources with a low-privilege account and confirming access is denied.

So beheben

Microsoft hat ein Update für Azure Cognitive Service for Language veröffentlicht, das diese Vulnerabilität behebt. Aktualisieren Sie auf Version 2.5.4 oder höher, um das Risiko zu mindern. Sehen Sie sich den Microsoft-Update-Leitfaden für detaillierte Anweisungen zum Anwenden des Updates an.

CVE-Sicherheitsnewsletter

Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.

Häufig gestellte Fragenwird übersetzt…

What is CVE-2025-64663 — Elevation of Privilege in Azure Cognitive Service?

CVE-2025-64663 is a critical elevation of privilege vulnerability in Azure Cognitive Service for Language, allowing attackers to bypass access controls and gain unauthorized access.

Am I affected by CVE-2025-64663 in Azure Cognitive Service?

Yes, if you are using Azure Cognitive Service for Language version 1.0.0 or earlier, you are affected by this vulnerability.

How do I fix CVE-2025-64663 in Azure Cognitive Service?

Upgrade to version 2.5.4 of Azure Cognitive Service for Language. Review Microsoft's documentation for potential breaking changes before upgrading.

Is CVE-2025-64663 being actively exploited?

While no public exploits are currently available, the vulnerability's criticality suggests a high probability of exploitation. Monitor security advisories.

Where can I find the official Azure advisory for CVE-2025-64663?

Refer to the official Microsoft Security Update Guide for details: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64663](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64663)

Ist dein Projekt betroffen?

Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.

Kostenlos scannenCVEs suchen