Microsoft Patches Critical Bing and Power Pages Vulnerabilities, One Actively Exploited

Microsoft has issued security updates to address two Critical-rated vulnerabilities affecting Bing and Power Pages, including one that has been actively exploited in real-world attacks.

Details of the Vulnerabilities

???? CVE-2025-21355 (CVSS Score: 8.6) – Microsoft Bing Remote Code Execution Vulnerability

???? CVE-2025-24989 (CVSS Score: 8.2) – Microsoft Power Pages Elevation of Privilege Vulnerability

According to Microsoft's advisory, CVE-2025-21355 stems from missing authentication for a critical function in Bing, potentially allowing an unauthorized attacker to execute code remotely over a network. Fortunately, no customer action is required as Microsoft has already mitigated the issue.

Meanwhile, CVE-2025-24989 is linked to improper access control in Power Pages, a low-code platform used for creating secure business websites. The flaw allows unauthorized attackers to escalate privileges and bypass user registration controls over a network.

Active Exploitation and Response

Microsoft credited its own employee, Raj Kumar, for identifying CVE-2025-24989, marking it with an "Exploitation Detected" label. This confirms that at least one instance of real-world exploitation has been observed, though Microsoft has not disclosed details on the nature of the attacks, threat actors, or affected targets.

In response, Microsoft has already mitigated the vulnerability and notified impacted customers, providing them with instructions to review their sites for potential exploitation and apply cleanup measures. The company reassured users that if they have not received a notification, they are not affected by the issue.

The Hacker News has reached out to Microsoft for further comments and will provide updates if additional details emerge.