Microsoft has addressed two critical security vulnerabilities affecting its Bing search engine and Power Pages platform, with one flaw already being exploited in the wild. The company released security updates to patch these high-severity issues that could potentially allow attackers to execute malicious code and elevate privileges.
The first vulnerability (CVE-2025-21355) in Microsoft Bing, rated with a CVSS score of 8.6, stems from missing authentication mechanisms in a critical service component.
This remote code execution flaw could enable attackers to compromise backend systems, manipulate search results, or access sensitive data without requiring user authentication. The vulnerability affects all Bing service tiers, including both consumer and enterprise deployments.
The second vulnerability (CVE-2025-24989), discovered by Microsoft employee Raj Kumar, impacts the Power Pages platform and has been confirmed to be actively exploited. With a CVSS score of 8.2, this elevation-of-privilege vulnerability allowed unauthorized attackers to bypass registration controls and escalate network privileges.
"This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass."— the tech giant said in an advisory for CVE-2025-24989. "Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you."
The discovery comes in the wake of recent Power Pages misconfigurations that exposed over 7 million records across healthcare and finance sectors in late 2024.
Microsoft has fixed both vulnerabilities, requiring no action from end users or administrators for the Bing vulnerability. For affected Power Pages customers, the company has provided specific guidance, including auditing site configurations, removing unauthorized privilege assignments, and reinforcing access controls with updated security features.
Organizations are advised to monitor official advisories and utilize the Power Platform Admin Center's enhanced security dashboard for real-time risk management, especially given Power Pages' integration with over 250 million monthly users' operations.