Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64663

CVE-2025-64663: Azure Language Privilege Escalation Flaw

CVE-2025-64663 is a privilege escalation vulnerability in Microsoft Azure Language's Custom Question Answering feature that allows attackers to gain elevated privileges. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-64663 Overview

CVE-2025-64663 is an elevation of privilege vulnerability in Microsoft Azure Language's Custom Question Answering service. Microsoft classifies the flaw under [CWE-918] Server-Side Request Forgery (SSRF), which allows an authenticated attacker to coerce the service into issuing requests on their behalf. Successful exploitation grants elevated privileges within the Azure Language service context, with high impact to confidentiality, integrity, and availability. The vulnerability is exploitable over the network with low attack complexity and low privileges, and requires no user interaction. Microsoft published the advisory on December 18, 2025.

Critical Impact

An authenticated, network-based attacker can abuse Custom Question Answering to issue server-side requests and elevate privileges, leading to high impact on confidentiality, integrity, and availability of the Azure Language workload.

Affected Products

  • Microsoft Azure Language (Custom Question Answering feature)
  • Azure AI Language service tenants using Custom Question Answering
  • Any application integrating the affected Azure Language endpoints

Discovery Timeline

  • 2025-12-18 - CVE-2025-64663 published to NVD and Microsoft Security Response Center
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-64663

Vulnerability Analysis

The flaw resides in Microsoft Azure Language's Custom Question Answering component, which builds and serves question-answer pairs sourced from URLs and documents that the customer supplies. Microsoft attributes the issue to Server-Side Request Forgery [CWE-918]. The service accepts attacker-influenced URLs or request parameters and then performs outbound HTTP requests on the server side without sufficient validation of the destination. Because the requests originate from inside Microsoft's Azure infrastructure, the attacker effectively borrows the trust boundary of the Custom Question Answering worker. This crosses tenant and network isolation expectations, producing an elevation of privilege outcome rather than a simple information disclosure.

Root Cause

The Custom Question Answering ingestion or lookup logic does not adequately restrict the target of server-initiated HTTP requests. Allowed destinations include internal Azure metadata, management endpoints, or neighboring service URIs that should never be reachable from a tenant-controlled input. Insufficient URL parsing, host allow-listing, and response handling form the underlying defect.

Attack Vector

An authenticated attacker with low privileges submits crafted input — typically a knowledge-base source URL, document ingestion request, or query parameter — that points the service at an internal target. The Azure Language backend resolves and fetches the attacker-chosen URL, returning content or side effects that the attacker would not normally access. Reachable internal endpoints can be used to retrieve credentials, instance metadata, or to invoke privileged APIs, completing the privilege escalation path.

No public proof-of-concept code has been released, and no exploit examples are available in the referenced advisory. See the Microsoft Security Update CVE-2025-64663 for vendor-supplied technical context.

Detection Methods for CVE-2025-64663

Indicators of Compromise

  • Custom Question Answering ingestion jobs referencing internal IP ranges, 169.254.169.254, localhost, or non-public hostnames.
  • Unexpected outbound requests originating from Azure Language workloads to Azure Instance Metadata Service (IMDS) or management plane endpoints.
  • Knowledge base sources submitted with URL schemes such as file://, gopher://, or unusual ports.
  • Spikes in 4xx/5xx responses from Custom Question Answering source-fetch operations preceding privileged API calls.

Detection Strategies

  • Inspect Azure Activity Logs and Azure Language diagnostic logs for ingestion or query events containing suspicious URLs or redirected hostnames.
  • Correlate Custom Question Answering API calls with subsequent privileged operations under the same service principal or managed identity.
  • Apply URL allow-list validation at the application gateway in front of any client tooling that submits sources to Custom Question Answering.

Monitoring Recommendations

  • Forward Azure Monitor and Microsoft Defender for Cloud alerts for Azure Cognitive Services and Azure Language into your SIEM for review.
  • Alert on managed identity token requests issued from Azure Language workloads to resources outside the expected scope.
  • Track configuration changes to Custom Question Answering projects, including source additions and role assignment modifications.

How to Mitigate CVE-2025-64663

Immediate Actions Required

  • Review the Microsoft Security Update CVE-2025-64663 advisory and confirm your tenant is running the patched service version.
  • Audit all Custom Question Answering projects for unexpected source URLs, recent ingestion jobs, and unfamiliar contributors.
  • Rotate keys and credentials associated with Azure Language resources and any managed identities granted access to them.
  • Restrict who can create or modify Custom Question Answering knowledge bases using Azure role-based access control.

Patch Information

Microsoft addressed CVE-2025-64663 as a service-side fix in Azure Language. Because Custom Question Answering is a Microsoft-managed cloud service, the remediation is deployed by Microsoft and does not require customer-installed updates. Verify that no on-premises containerized deployments of the feature remain in use, and consult the Microsoft advisory for any tenant-side configuration guidance.

Workarounds

  • Restrict outbound network access from Azure Language resources using virtual network integration and private endpoints where supported.
  • Enforce least privilege on service principals and managed identities that interact with Custom Question Answering.
  • Validate and allow-list any URLs submitted to Custom Question Answering at the client or API gateway layer before the service receives them.
  • Disable Custom Question Answering projects that are no longer required to reduce attack surface.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.