Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability

Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild.

The vulnerabilities are listed below -

• CVE-2025-21355 (CVSS score: 8.6) - Microsoft Bing Remote Code Execution Vulnerability
• CVE-2025-24989 (CVSS score: 8.2) - Microsoft Power Pages Elevation of Privilege Vulnerability

"Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network," the tech giant said in an advisory for CVE-2025-21355. No customer action is required.

On the other hand, CVE-2025-24989 concerns a case of improper access control in Power Pages, a low-code platform for creating, hosting, and managing secure business websites, that an unauthorized attacker could exploit to elevate privileges over a network and bypass user registration control.

Microsoft, which credited its own employee Raj Kumar for flagging the vulnerability, has tagged it with an "Exploitation Detected" assessment, indicating that it's aware of at least one instance of the bug being weaponized in the wild.

That said, the advisory does not offer any details on the nature or scale of the attacks, the identity of the threat actors behind them, and who may have been targeted in such a manner.

"This vulnerability has already been mitigated in the service and all affected customers have been notified," it added.

"This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you."

The Hacker News has reached out to Microsoft for further comment, and we will update the story if we get a response.