azure-container-apps
修复版本
2.5.4
CVE-2025-65037 describes a Remote Code Execution (RCE) vulnerability within Azure Container Apps. This flaw, stemming from improper code generation control, allows an unauthorized attacker to execute arbitrary code over a network. The vulnerability impacts versions 1.0.0 and earlier, with a fix available in version 2.5.4. Microsoft has released a security advisory and recommends immediate patching.
The impact of CVE-2025-65037 is severe. Successful exploitation allows an attacker to gain complete control over the affected Azure Container Apps environment. This could lead to data breaches, system compromise, and the potential for lateral movement within the broader Azure infrastructure. An attacker could leverage this RCE to install malware, steal sensitive data, or disrupt services. The ability to execute code over a network significantly expands the attack surface and increases the potential blast radius, potentially impacting multiple tenants and applications.
CVE-2025-65037 was published on December 18, 2025. The vulnerability's severity is classified as CRITICAL (CVSS score 10.0). Public proof-of-concept exploits are not currently available, but the RCE nature of the vulnerability suggests a high probability of exploitation if a PoC is released. It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on Azure Container Apps for deploying and managing containerized applications are at significant risk. This includes those using legacy deployments of versions 1.0.0 and earlier, as well as those with less stringent network security configurations. Shared hosting environments utilizing Azure Container Apps are also particularly vulnerable.
• azure / container:
Get-AzContainerApp | Where-Object {$_.Version -lt '2.5.4'}• azure / container: Monitor Azure activity logs for suspicious processes or commands executed within container apps. • azure / container: Review network security group rules to ensure minimal necessary access to container apps. • azure / container: Check for unusual network traffic patterns originating from container apps.
disclosure
漏洞利用状态
EPSS
0.07% (22% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-65037 is to upgrade Azure Container Apps to version 2.5.4 or later. If immediate upgrading is not feasible, consider implementing network segmentation to restrict access to the vulnerable service. Review and tighten access controls to limit the potential attack surface. While a direct WAF rule is unlikely to be effective against code injection, implementing strict input validation and output encoding within your containerized applications can help reduce the risk. Monitor Azure activity logs for suspicious code execution patterns.
Microsoft ha lanzado una actualización para Azure Container Apps que mitiga la vulnerabilidad de inyección de código. Actualice su instancia de Azure Container Apps a la versión 2.5.4 o posterior para solucionar el problema. Consulte la guía de actualización de Microsoft para obtener instrucciones detalladas.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-65037 is a critical Remote Code Execution vulnerability in Azure Container Apps versions 1.0.0 and earlier, allowing attackers to execute code over a network due to improper code generation control.
You are affected if you are using Azure Container Apps versions 1.0.0 or earlier. Upgrade to version 2.5.4 or later to mitigate the risk.
Upgrade Azure Container Apps to version 2.5.4 or later. If immediate upgrading is not possible, implement network segmentation and review access controls.
While no public exploits are currently available, the vulnerability's severity suggests a high probability of exploitation if a PoC is released.
Refer to the official Microsoft security advisory for CVE-2025-65037 on the Microsoft Security Response Center website.