Microsoft addressed a privilege escalation vulnerability in Power Pages, the flaw is actively exploited in attacks.
Microsoft has addressed two critical vulnerabilities, tracked as CVE-2025-21355 (CVSS score: 8.6) and CVE-2025-24989 (CVSS score: 8.2), respectively impacting Bing and Power Pages.
CVE-2025-21355 is a missing authentication for critical Function in Microsoft Bing, an unauthorized attacker could exploit the flaw to execute code over a network. The researcher Nicolas Joly reported the vulnerability.
CVE-2025-24989 is an improper access control flaw in Power Pages, an unauthorized attacker could exploit the flaw to elevate privileges over a network potentially bypassing the user registration control.
Raj Kumar with Microsoft reported the vulnerability. The IT giant confirmed that this vulnerability is actively exploited in the wild.
“Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.” reads the advisory published by Microsoft.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, privilege escalation)
