Urgent Patch Required: CVE‑2025‑39677 Compromise in Microsoft Load Balancer

Impact

A remote attacker can gain full system control on affected servers. This flaw exposes critical infrastructure to data loss, ransomware, and lateral movement.

Technical Details

CVE‑2025‑39677 is a remote code execution flaw in the Microsoft Load Balancer (MLB) component. The issue resides in the parsing logic of the /config/endpoint API. An attacker can send a specially crafted HTTP request containing a malformed JSON payload. The MLB service fails to validate the maxConnections field, allowing integer overflow and subsequent buffer overflow. The overflow overwrites the return address on the stack, redirecting execution to attacker‑controlled shellcode.

The vulnerability is present in MLB versions 2024.1 through 2025.2, inclusive. It is assigned a CVSS v3.1 score of 9.8 (Critical). The exploit requires network access to the MLB management port (TCP 443) and no authentication. Successful exploitation yields SYSTEM‑level privileges on the host.

Affected Products

• Microsoft Load Balancer (MLB) 2024.1, 2024.2, 2024.3, 2025.1, 2025.2
• Embedded MLB instances in Azure Front Door Premium
• On‑premises MLB appliances running the aforementioned firmware

Mitigation Steps

1. Update MLB firmware to the latest release (2025.3 or later). The patch replaces the vulnerable JSON parser with a bounds‑checked implementation.
2. If immediate update is not possible, block inbound traffic to the MLB management port (TCP 443) using network ACLs or firewalls.
3. Enable Azure Defender for Load Balancer to monitor for anomalous configuration changes.
4. Conduct a full vulnerability scan on all MLB instances within the next 24 hours.
5. Review audit logs for any suspicious activity on the MLB management interface.

Timeline

• May 10, 2025 – CVE disclosed by Microsoft Security Response Center (MSRC).
• May 12, 2025 – Patch 2025.3 released on the Microsoft Update Catalog.
• May 15, 2025 – MSRC issues advisory urging immediate patching.
• May 22, 2025 – Advisory updated with additional mitigation guidance.

Resources

• Microsoft Security Advisory – CVE‑2025‑39677
• MLB Firmware Release Notes
• Azure Defender for Load Balancer Documentation

Conclusion

The CVE‑2025‑39677 flaw poses an immediate threat to any environment running the affected MLB versions. Apply the 2025.3 firmware update without delay. If updating is infeasible, isolate the MLB management interface until a patch can be applied. Failure to act exposes your organization to critical compromise.