Microsoft has launched security updates to handle two Vital-rated flaws impacting Bing and Energy Pages, together with one which has come beneath energetic exploitation within the wild.
The vulnerabilities are listed beneath –
- CVE-2025-21355 (CVSS rating: 8.6) – Microsoft Bing Distant Code Execution Vulnerability
- CVE-2025-24989 (CVSS rating: 8.2) – Microsoft Energy Pages Elevation of Privilege Vulnerability
“Lacking Authentication for Vital Perform in Microsoft Bing permits an unauthorized attacker to execute code over a community,” the tech large stated in an advisory for CVE-2025-21355. No buyer motion is required.
Alternatively, CVE-2025-24989 issues a case of improper entry management in Energy Pages, a low-code platform for creating, internet hosting, and managing safe enterprise web sites, that an unauthorized attacker might exploit to raise privileges over a community and bypass person registration management.
Microsoft, which credited its personal worker Raj Kumar for flagging the vulnerability, has tagged it with an “Exploitation Detected” evaluation, indicating that it is conscious of not less than one occasion of the bug being weaponized within the wild.
That stated, the advisory doesn’t supply any particulars on the character or scale of the assaults, the id of the menace actors behind them, and who could have been focused in such a fashion.
“This vulnerability has already been mitigated within the service and all affected prospects have been notified,” it added.
“This replace addressed the registration management bypass. Affected prospects have been given directions on reviewing their websites for potential exploitation and clear up strategies. In the event you’ve not been notified this vulnerability doesn’t have an effect on you.”
The Hacker Information has reached out to Microsoft for additional remark, and we’ll replace the story if we get a response.
