Latest Cyber Security News

You are here: Home / General Cyber Security News / Microsoft Patches Actively Exploited CVE-2025-21355 RCE Vulnerability in Bing
February 20, 2025

Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild.

The vulnerabilities are listed below –

  • CVE-2025-21355 (CVSS score: 8.6) – Microsoft Bing Remote Code Execution Vulnerability
  • CVE-2025-24989 (CVSS score: 8.2) – Microsoft Power Pages Elevation of Privilege Vulnerability

“Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network,” the tech giant said in an advisory for CVE-2025-21355. No customer action is required.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Cybersecurity

On the other hand, CVE-2025-24989 concerns a case of improper access control in Power Pages, a low-code platform for creating, hosting, and managing secure business websites, that an unauthorized attacker could exploit to elevate privileges over a network and bypass user registration control.

Microsoft, which credited its own employee Raj Kumar for flagging the vulnerability, has tagged it with an “Exploitation Detected” assessment, indicating that it’s aware of at least one instance of the bug being weaponized in the wild.

That said, the advisory does not offer any details on the nature or scale of the attacks, the identity of the threat actors behind them, and who may have been targeted in such a manner.

“This vulnerability has already been mitigated in the service and all affected customers have been notified,” it added.

“This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.”

The Hacker News has reached out to Microsoft for further comment, and we will update the story if we get a response.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *