Microsoft has released critical security updates to address two significant vulnerabilities impacting Bing and Power Pages. One of these vulnerabilities has already been targeted by malicious actors in active exploitation scenarios.
Overview of the Vulnerabilities
The identified vulnerabilities are:
- CVE-2025-21355 – Microsoft Bing Remote Code Execution Vulnerability (CVSS score: 8.6)
- CVE-2025-24989 – Microsoft Power Pages Elevation of Privilege Vulnerability (CVSS score: 8.2)
CVE-2025-21355 stems from a lack of proper authentication checks within Microsoft Bing. As a result, unauthorized attackers could execute malicious code remotely over the network, potentially compromising user data and system integrity.
Microsoft did not specify that customer action is required to mitigate this threat.
Details of Microsoft Power Pages Elevation of Privilege Vulnerability
CVE-2025-24989 relates to improper access control mechanisms within Power Pages, Microsoft’s low-code platform designed for creating and managing secure business websites.
This flaw could allow unauthorized attackers to escalate their privileges over the network, potentially bypassing user registration controls and gaining unauthorized access to sensitive areas of the platform.
Microsoft employee Raj Kumar initially reported this vulnerability, which Microsoft has assessed as being actively exploited by threat actors.
Although no detailed information about the nature or scale of the attacks is available, affected customers have been notified. They have been provided with guidelines on reviewing their sites for potential exploitation and cleaning up if compromised. If you have not been notified, your site is likely safe from this specific vulnerability.
Mitigation Steps and Recommendations
Microsoft has already implemented protective measures against these vulnerabilities within its services. However, continuous vigilance is crucial.
Here are some steps you can take to protect your business:
- Regularly update and patch your software to include the latest security patches.
- Implement robust authentication and authorization controls for your applications.
- Conduct regular security audits and vulnerability assessments.
- Train your employees on security best practices and phishing prevention.
Outreach to Microsoft for Further Clarification
This article has reached out to Microsoft for more detailed insights into the attacks and the threat landscape. We will provide updates as soon as additional information becomes available.
Found this article insightful? Stay informed by following us on Twitter and LinkedIn to read exclusive content and updates from the cybersecurity world.
