Microsoft has released a security update to address two important rating flaws that affect Bing and Power pages.
The vulnerabilities are listed below –
CVE-2025-21355 (CVSS score: 8.6) – Microsoft Bing Remote Code Execution Vulnerability CVE-2025-24989 (CVSS score: 8.2) – Microsoft Power Page Privilege Vulnerability Elevation
“Without authentication for Microsoft Bing’s critical features, unauthorized attackers can run code on the network,” Tech Giant said in an advisory on CVE-2025-21355. No customer action is required.
Meanwhile, CVE-2025-24989 is a low-coded platform for creating, hosting and managing power pages incorrect access control cases, secure business websites, and unauthorized attackers can be found on the network. It could potentially be used to increase privileges. Bypasses user registration control.
Applauded by employee Raj Kumar for flagging the vulnerability, Microsoft tagged it with an “exploitation detection” rating.
That said, the recommendation does not provide the nature and scale of the attack, the identity of the threat actors behind it, and details that could have been targeted in such a way.
“This vulnerability has already been mitigated in the service and has been notified to all affected customers,” he added.
“This update addresses registration control bypass. Affected customers are given instructions on site reviews about potential exploitation and cleanup methods. If not notified, this vulnerability It won’t affect you.”
The Hacker News reached out to Microsoft for further comment. I’ll update the story if I get a response.
Source link
