Microsoft has released security updates to solve two deficiencies affecting Bing and Power, including the one that has been actively operating in the wild.
Vulnerabilities shown below –
- Cve-2025-21355 (CVSS assessment: 8.6) – Vulnerability of the remote Microsoft Bing code with deleted code
- Cve-2025-24989 (CVSS assessment: 8.2) – Microsoft Power Pages Elevation of PASING PRIVILEGE VU
“The lack of authentication for a critical function in Microsoft Bing allows an unauthorized attacker to execute the code on the network,” the technological giant said in an advisory order for the CVE-2025-21355. Customer action is not required.
On the other hand, CVE-2025-2498 Power pageslow -code platform to create, hosting and manage safe business sites that unauthorized attacker can use to raise privileges through networking and bypass control of user registration.
Microsoft, who was attributed to his own employee Raja Kumar for what he indicated vulnerability, indicated it with a “expressed exploitation”, which indicates that he knows at least one copy armed in the wild.
In view of this, the advisory data give no details about the nature and scale of the attacks, the identity of the threats behind them, and which may have been sent in this way.
“This vulnerability is already mitated in the service, and all the affected customers have been reported,” he added.
“This update was considering bypassing registration management. The affected customers received instructions for considering their sites on potential operation and cleaning methods. If you have not been informed that this vulnerability did not affect you.”
The Hacker News appealed to Microsoft for further comment and we will update the story when we get the answer.
