Two Critical-rated defects that have been exposed by Microsoft have been patched in security updates for Bing and Power Pages, including one that has been subject to lively oppression in the wild.
Below are the risks listed.
- CVE-2025-21355 ( CVSS report: 8.6)- Microsoft Bing Remote Code Execution Vulnerability
- ( CVSS score: 8.2 )- Microsoft Power Pages Elevation of Privilege Vulnerability
An unauthorised attacker can execute code over a network thanks to Microsoft Bing’s” Missing Authentication for Important Function” advisory, CVE-2025-21355. No client action is required.
On the other hand, CVE-2025-24989 concerns a case of poor access control in , a low-code system for creating, hosting, and managing protected business websites, that an unauthorised attacker could utilize to enhance privileges over a network and pass user registration control.
Microsoft, which credited its own individual Raj Kumar for flagging the risk, has tagged it with an” Exploitation Detected” examination, indicating that it’s aware of at least one instance of the spider being weaponized in the wild.
Despite this, the advisory doesn’t provide any information about the nature or size of the attacks, the threat celebrities ‘ identities, or who might have been targeted in this way.
” All affected customers have been notified,” it continued, adding that” This vulnerability has already been mitigated in the service.”
” This upgrade addressed the pass of register control. Consumers who have been impacted have been given instructions on how to check their websites for possible abuse and cleaning practices. This risk does not have an impact on you if you haven’t been alerted.
The Hacker News reached over to Microsoft for more information, and we will update the account as soon as we can.