Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild.
The vulnerabilities are listed below –
- CVE-2025-21355 (CVSS score: 8.6) – Microsoft Bing Remote Code Execution Vulnerability
- CVE-2025-24989 (CVSS score: 8.2) – Microsoft Power Pages Elevation of Privilege Vulnerability
“Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network,” the tech giant said in an advisory for CVE-2025-21355. No customer action is required.
On the other hand, CVE-2025-24989 concerns a case of improper access control in Power Pages, a low-code platform for creating, hosting, and managing secure business websites, that an unauthorized attacker could exploit to elevate privileges over a network and bypass user registration control.
Microsoft, which credited its own employee Raj Kumar for flagging the vulnerability, has tagged it with an “Exploitation Detected” assessment, indicating that it’s aware of at least one instance of the bug being weaponized in the wild.
That said, the advisory does not offer any details on the nature or scale of the attacks, the identity of the threat actors behind them, and who may have been targeted in such a manner.
“This vulnerability has already been mitigated in the service and all affected customers have been notified,” it added.
“This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.”
When reached for comment, a Microsoft spokesperson told The Hacker News that “We’ve released a fix and customers are protected.”
CVE-2025-24989 Added to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on February 21, 2025, added CVE-2025-24989 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by March 14, 2025.
(The story was updated after publication to include a response from Microsoft.)
About The Author
Original post here
