Two Critical-rated defects that are present in Bing and Power Pages, including one that has been actively exploited in the wild, have been addressed by Microsoft’s security updates.
The flaws are listed under.
- CVE-2025-21355 ( CVSS report: 8.6)- Microsoft Bing Remote Code Execution Vulnerability
- ( CVSS score: 8.2 )- Microsoft Power Pages Elevation of Privilege Vulnerability
An unauthorised attacker can execute code over a network thanks to Microsoft Bing’s” Missing Authentication for Important Function” advisory for CVE-2025-21355. No user action is required.
On the other hand, CVE-2025-24989 concerns a case of poor access control in , a low-code system for creating, hosting, and managing protected business websites, that an unauthorised attacker could utilize to enhance privileges over a network and pass user registration control.
Microsoft, which credited its own individual Raj Kumar for flagging the risk, has tagged it with an” Exploitation Detected” examination, indicating that it’s aware of at least one instance of the spider being weaponized in the wild.
Despite this, the advisory doesn’t provide any information about the nature or size of the attacks, the threat celebrities ‘ identities, or who might have been targeted in this way.
The company has already fixed this flaw, and all damaged clients have been notified, it continued.
” This upgrade addressed the register control bypass.” Customers who have been impacted have been given instructions on how to check their websites for possible abuse and cleaning practices. This risk doesn’t have an impact on you if you haven’t been alerted.
If there is a reaction, The Hacker News will release the story.