Full Report
Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild. The vulnerabilities are listed below - CVE-2025-21355 (CVSS score: 8.6) - Microsoft Bing Remote Code Execution Vulnerability CVE-2025-24989 (CVSS score: 8.2) - Microsoft Power Pages Elevation of Privilege Vulnerability "
Analysis Summary
# Vulnerability: Actively Exploited Privilege Escalation in Microsoft Power Pages
## CVE Details
- CVE ID: CVE-2025-24989
- CVSS Score: 8.2 (High)
- CWE: Improper access control (Implied by description)
## Affected Systems
- Products: Microsoft Power Pages (low-code platform for creating, hosting, and managing secure business websites)
- Versions: All affected customer versions have been notified by Microsoft. (Specific versions not detailed in the summary)
- Configurations: Applicable to Power Pages deployments where registration control bypass is possible.
## Vulnerability Description
The vulnerability is an improper access control flaw within Microsoft Power Pages. An unauthorized attacker could exploit this vulnerability to elevate privileges over a network and bypass user registration control mechanisms on affected sites.
## Exploitation
- Status: **Exploited in the wild** ("Exploitation Detected" assessment by Microsoft)
- Complexity: Not explicitly stated, but exploitation requires network access to bypass registration controls.
- Attack Vector: Network
## Impact
- Confidentiality: Potential (due to privilege escalation)
- Integrity: Potential (due to privilege escalation)
- Availability: Potential (due to unauthorized actions following privilege escalation)
*(Note: Specific impact levels are not detailed in the summary, but privilege escalation generally implies high impact on Integrity and Confidentiality.)*
## Remediation
### Patches
- Microsoft has released security updates addressing CVE-2025-24989. (Specific patch versions are not listed in the summary, users must refer to the official MSRC advisory.)
### Workarounds
- Microsoft has mitigated the issue in the service and notified affected customers.
- Affected customers must review their sites for potential exploitation and follow clean up instructions provided by Microsoft. If a customer was not notified, the vulnerability does not affect them.
## Detection
- Detection methods and tools are not detailed in this summary, but remediation instructions provided to affected customers likely include specific cleanup steps.
## References
- Vendor Advisory (CVE-2025-24989): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989
- Article Source: https://thehackernews.com/2025/02/microsoft-patches-actively-exploited.html