Microsoft Addresses Critical Vulnerabilities in Bing and Power Pages
Microsoft has issued security updates to resolve two critical vulnerabilities affecting its Bing search engine and Power Pages platform, one of which is currently being actively exploited. The release highlights ongoing concerns in the cybersecurity landscape as attackers increasingly target widely used enterprise tools.
The first vulnerability, identified as CVE-2025-21355, carries a CVSS score of 8.6 and is characterized as a remote code execution flaw in Microsoft Bing. According to Microsoft, the vulnerability allows unauthorized attackers to execute code remotely, leveraging a “Missing Authentication for Critical Function” issue. Importantly, no action is required from users or organizations regarding this particular flaw, as Microsoft has already deployed mitigations.
Conversely, the second vulnerability, CVE-2025-24989, scores 8.2 and affects Power Pages—a platform intended for low-code business website management. This vulnerability involves improper access control, which could allow attackers to escalate privileges and bypass user registration controls over the network. Microsoft has confirmed that the affected systems have been secured, and all impacted clients have been notified.
Microsoft attributed the discovery of this serious vulnerability to its employee Raj Kumar and registered it as “Exploitation Detected,” signaling the company’s awareness of at least one real-world incident where the flaw has been weaponized. However, the advisory does not disclose specifics about the nature, scale, or the identities of the cyber actors involved.
In its security advisory, Microsoft stated that “this vulnerability has already been mitigated in the service and all affected customers have been notified.” It also noted that guidance has been distributed to these customers to review their sites for potential exploitation and to apply necessary cleanup methods. For those who have not received notifications, Microsoft assures that they are not impacted by this flaw.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-24989 to its Known Exploited Vulnerabilities (KEV) catalog as of February 21, 2025. This action requires Federal Civilian Executive Branch agencies to implement required fixes by March 14, 2025, underscoring the governmental focus on addressing such vulnerabilities quickly.
From a cybersecurity perspective, the vulnerabilities exhibit indicators aligned with tactics from the MITRE ATT&CK framework, particularly concerning privilege escalation and initial access techniques. This is indicative of how adversaries could exploit software weaknesses to gain unauthorized control, cementing the necessity for organizations to adopt proactive defenses.
In closing, the updated advisories reflect the critical nature of cybersecurity vigilance in an era where flaws in widely used systems like those from Microsoft can have significant ramifications. Business owners and IT managers should remain attuned to updates and guidance issued by Microsoft and other cybersecurity authorities to ensure their systems are fortified against such risks.
For the latest developments in cybersecurity risks and vulnerabilities, following credible news sources can provide essential insights for organizational defenses.
