CVE-2025-21355

High

Published: 19 February 2025

Published

19 February 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0696 91.5th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network

Security Summary

CVE-2025-21355 is a missing authentication for a critical function vulnerability affecting Microsoft Bing. Published on 2025-02-19, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-306 (Missing Authentication for Critical Function), with additional NVD-CWE-noinfo classification.

An unauthorized attacker with network access can exploit this vulnerability due to low attack complexity, requiring no privileges, user interaction, or special conditions. Successful exploitation allows remote code execution, achieving high confidentiality impact with a change in scope.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355 provides details on mitigation and patches.

Details

CWE(s): CWE-306NVD-CWE-noinfo

Affected Products

microsoft

bing

all versions

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355
Patch, Vendor Advisory · secure@microsoft.com