Critical Microsoft Bing Vulnerability Let Attackers Execute Code Remotely

Microsoft has addressed a critical security flaw in its Bing search engine, tracked as CVE-2025-21355, which could have allowed unauthorized attackers to execute arbitrary code remotely. While Microsoft has not disclosed specific technical details to prevent further exploitation, security analysts speculate the vulnerability resided in Bing’s API or cloud service layer. The vulnerability, classified as a Missing authentication for a Critical Function flaw, posed significant risks to organizations and users relying on Bing’s infrastructure. The absence of required authentication made this vulnerability particularly dangerous, as attackers could launch large-scale attacks without needing to compromise user credentials. As a core component of Microsoft’s services, Bing integrates with enterprise tools like Microsoft 365, SharePoint, and Azure Active Directory. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Attackers could exploit the flaw over a network to execute malicious code without requiring user interaction or prior authentication. Microsoft confirmed the flaw affected all Bing service tiers, including consumer and enterprise deployments. With a maximum CVSS severity score of 9.8, this remote code execution (RCE) vulnerability marked one of the most severe threats to Microsoft’s ecosystem this year. Microsoft encourages organizations to subscribe to its Security Update Guide for real-time alerts on emerging threats. CVE-2025-21355 originated from inadequate authentication mechanisms in a critical Bing service component. This would enable threat actors to compromise backend systems, manipulate search results, or exfiltrate sensitive data hosted on Microsoft’s infrastructure. The flaw’s network-based attack vector suggests it could have been exploited via specially crafted requests to unpatched servers, bypassing authentication checks to gain SYSTEM-level privileges.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 20 Feb 2025 01:45:10 +0000

Cyber News related to Critical Microsoft Bing Vulnerability Let Attackers Execute Code Remotely

Critical Microsoft Bing Vulnerability Let Attackers Execute Code Remotely - Microsoft has addressed a critical security flaw in its Bing search engine, tracked as CVE-2025-21355, which could have allowed unauthorized attackers to execute arbitrary code remotely. While Microsoft has not disclosed specific technical details to ...
1 day ago Cybersecuritynews.com

Microsoft again bothers Chrome users with Bing popup ads in Windows - Microsoft is once again harassing Google Chrome users on Windows 10 and Windows 11 with popup desktop advertisements promoting Bing and its GPT-4 Bing Chat platform. Due to the quality of the pixelated ads, some who received them were concerned that ...
11 months ago Bleepingcomputer.com

Microsoft Introduces AIEnabled Bing and Edge Web Browser - Microsoft has released a new version of its Bing search engine that is powered by a next-generation OpenAI language model. This model is more powerful than ChatGPT and is specifically designed for web search. According to Microsoft Chairman and CEO ...
2 years ago Bleepingcomputer.com

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com

New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com

Microsoft launches Defender Bounty Program with $20,000 rewards - Microsoft has unveiled a new bug bounty program aimed at the Microsoft Defender security platform, with rewards between $500 and $20,000. While higher awards are possible, Microsoft retains sole discretion to determine the final reward amount based ...
1 year ago Bleepingcomputer.com

How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com

Latest Information Security and Hacking Incidents - Prepare for a paradigm shift as Microsoft takes a giant leap forward with a game-changing announcement - the integration of an Artificial Intelligence key in their keyboards, the most substantial update in 30 years. This futuristic addition promises ...
1 year ago Cysecurity.news

Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com

CISA orders agencies impacted by Microsoft hack to mitigate risks - CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. It requires them to investigate potentially ...
10 months ago Bleepingcomputer.com

Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
1 year ago Microsoft.com

Microsoft announces Security Copilot early access program - Microsoft announced this week that its ChatGPT-like Security Copilot AI assistant is now available in early access for some customers. Security Copilot, Redmond's AI-driven security analysis tool, makes it faster for security teams to counter threats ...
1 year ago Bleepingcomputer.com

Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
1 year ago Bleepingcomputer.com

Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs - Microsoft's scheduled Patch Tuesday security update for February includes fixes for two zero-day security vulnerabilities under active attack, plus 71 other flaws across a wide range of its products. In all, five of the vulnerabilities for which ...
1 year ago Darkreading.com

CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
10 months ago Securityboulevard.com

Veeam adds BaaS capabilities for Veeam Backup for Microsoft 365 - Veeam Software has expanded its relationship with Microsoft. Veeam is making it easier for customers to protect Microsoft 365 with Cirrus by Veeam which brings the ease and flexibility of Backup-as-a-Service for Microsoft 365. Utilizing the power and ...
1 year ago Helpnetsecurity.com

Navigating Microsoft's Innovations For 2023: Get Up to Date With The Latest Developments - In the world of digital technology, staying up-to-date with the latest advancements and innovations is becoming increasingly important. As one of the leading technology companies in the world, Microsoft is constantly introducing new innovations in ...
2 years ago Hackread.com

Microsoft extends Purview Audit log retention after July breach - Microsoft is extending Purview Audit log retention as promised after the Chinese Storm-0558 hacking group breached dozens of Exchange and Microsoft 365 corporate and government accounts in July. The list of affected organizations included government ...
1 year ago Bleepingcomputer.com

Microsoft named as a Leader in three IDC MarketScapes for Modern Endpoint Security 2024 - With these security concerns top of mind, there is no surprise that in the last five years, the Modern Endpoint Security market has nearly tripled in size to defend against emerging, sophisticated, and persistent threats. Microsoft Defender for ...
11 months ago Techcommunity.microsoft.com

Microsoft is a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management - We are pleased to announce that Microsoft has been recognized as a Leader in the Gartner® Magic Quadrant™ for Security Information and Event Management. 1 We believe our position in the Leaders quadrant validates our vision and continued ...
9 months ago Microsoft.com

Fancy Bear hackers still exploiting Microsoft Exchange flaw - A Russian nation-state group continues to exploit a critical Microsoft vulnerability that was patched eight months ago to gain access to emails within victim organizations' Exchange servers. In March, Microsoft disclosed a zero-day elevation of ...
1 year ago Techtarget.com

Microsoft's 'Copilot for Security' brings generative AI to the frontlines of cybersecurity - Microsoft announced today that Copilot for Security, a generative AI-powered platform designed to assist security professionals in combating the ever-evolving cyberthreat landscape, will be generally available worldwide starting April 1st. The launch ...
11 months ago Venturebeat.com

What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
4 months ago Cyberdefensemagazine.com

Russian Spies Hacked Microsoft Email Systems & Accessed Code - Microsoft has disclosed that Russian government hackers, identified as the group Midnight Blizzard, have successfully infiltrated its corporate email systems and stolen source codes. Microsoft's announcement on March 8, 2024, detailed that Midnight ...
11 months ago Cybersecuritynews.com

Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security - Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity. For the second straight month, ...
1 year ago Darkreading.com

Latest Cyber News

Black Basta is latest ransomware group to be hit by leak of chat logs | The Record from Recorded Future News - 1 hour ago
CISA Releases 7 ICS Advisories Detailing Vulnerabilities & Exploits - 6 hours ago
Pegasus Spyware Used Widely to Target Individuals in Private Industry & Finance Sectors - 6 hours ago
SPAWNCHIMERA Malware Exploiting Ivanti Buffer Overflow Vulnerability By Applying A Fix - Cyber Security News - 7 hours ago
Chinese Hackers Using New Bookworm Malware In Attacks Targeting Southeast Asia - 8 hours ago
Google Released PoC Exploit for Palo Alto Firewall Command Injection Vulnerability - 10 hours ago
New Active Directory Pentesting Tool For KeyCredentialLink Management - 10 hours ago
Windows Wi-Fi Password Stealer Malware Found Hosted on GitHub - 12 hours ago
China-linked hackers target European healthcare orgs in suspected espionage campaign | The Record from Recorded Future News - 12 hours ago
CVE-2025-27097 - 16 hours ago
CVE-2025-27098 - 16 hours ago
Apiiro unveils free scanner to detect malicious code merges - 17 hours ago
Black Basta ransomware gang's internal chat logs leak online - 17 hours ago
CVE-2025-0352 - 17 hours ago
CVE-2025-1265 - 17 hours ago
CVE-2025-24893 - 17 hours ago
CVE-2025-25299 - 17 hours ago
Ivanti Endpoint Manager Vulnerabilities Proof-of-Concept (PoC) Exploit Released - 17 hours ago
New NailaoLocker Ransomware Attacking European Healthcare - 17 hours ago
Beware of North Korean Job Interview Process Delivers Malware Via Fake Chrome Update - 18 hours ago

Cyber Trends (last 7 days)

Okta - 1 year ago
23andMe - 1 year ago
Kimsuky - 1 year ago
LogoFAIL - 1 year ago
Gh0st rat - 1 year ago

Trending Cyber News (last 7 days)

Black Basta is latest ransomware group to be hit by leak of chat logs | The Record from Recorded Future News - 1 hour ago
CISA Releases 7 ICS Advisories Detailing Vulnerabilities & Exploits - 6 hours ago
Pegasus Spyware Used Widely to Target Individuals in Private Industry & Finance Sectors - 6 hours ago
SPAWNCHIMERA Malware Exploiting Ivanti Buffer Overflow Vulnerability By Applying A Fix - Cyber Security News - 7 hours ago
Chinese Hackers Using New Bookworm Malware In Attacks Targeting Southeast Asia - 8 hours ago
Google Released PoC Exploit for Palo Alto Firewall Command Injection Vulnerability - 10 hours ago
New Active Directory Pentesting Tool For KeyCredentialLink Management - 10 hours ago
Windows Wi-Fi Password Stealer Malware Found Hosted on GitHub - 12 hours ago
China-linked hackers target European healthcare orgs in suspected espionage campaign | The Record from Recorded Future News - 12 hours ago
CVE-2025-1272 - 2 days ago
CVE-2025-27090 - 1 day ago
CVE-2023-51305 - 1 day ago
CVE-2024-10339 - 1 day ago
CVE-2024-37359 - 1 day ago
CVE-2024-37360 - 1 day ago
CVE-2024-5705 - 1 day ago
CVE-2024-5706 - 1 day ago
CVE-2025-21355 - 1 day ago
CVE-2025-24989 - 1 day ago
CVE-2025-25942 - 1 day ago