Microsoft has issued security updates to address two critical vulnerabilities affecting Bing and Power Pages, one of which is being actively exploited in the wild.
The vulnerabilities in question are:
- CVE-2025-21355 (CVSS score: 8.6) – Remote Code Execution Vulnerability in Microsoft Bing
- CVE-2025-24989 (CVSS score: 8.2) – Elevation of Privilege Vulnerability in Microsoft Power Pages
According to Microsoft, the CVE-2025-21355 vulnerability allows an unauthorized attacker to execute code over a network due to missing authentication for a critical function in Microsoft Bing. No action is required from customers.
On the other hand, CVE-2025-24989 is an improper access control vulnerability in Power Pages, a low-code platform for creating and managing secure business websites. This vulnerability can be exploited by an unauthorized attacker to elevate privileges over a network and bypass user registration control.
Microsoft, which credited its employee Raj Kumar for discovering the vulnerability, has marked it as “Exploitation Detected”, indicating that it is aware of at least one instance of the bug being exploited in the wild.
However, the advisory does not provide details on the nature or scale of the attacks, the identity of the threat actors, or the potential targets.
According to Microsoft, “This vulnerability has already been mitigated in the service and all affected customers have been notified.”
“This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and cleanup methods. If you haven’t been notified, this vulnerability does not affect you.”
The Hacker News has reached out to Microsoft for further comment and will update the story if a response is received.
