Microsoft reports remote code execution flaw in Bing search service
Take action: This is an FYI advisory - the flaw was in the search engine systems, so you as customers can't do much to fix it. If you are an enterprise user, you may want to reach out to Microsoft for confirmation of any impact to your organization.
Learn More
Microsoft is reporting a security vulnerability in its Bing search service which could allow unauthorized attackers to execute code remotely over a network without requiring any user interaction or credentials.
The flaw is tracked as CVE-2025-21355 (CVSS score 8.6). The vulnerability stems from a missing authentication mechanism for a critical function and was internally discovered by Microsoft. It affected all Bing service tiers, including both consumer and enterprise deployments. The flaw likely resided in Bing's API or cloud service layer, where authentication gaps permitted unauthorized command execution.
The severity of this vulnerability was amplified by Bing's deep integration with enterprise tools like Microsoft 365 and Azure Active Directory, creating potential pathways for lateral movement within corporate networks. This integration meant that successful exploitation could lead to broader system compromises, data breaches, and service disruptions across connected Microsoft services.
While Microsoft has confirmed the detection of exploitation attempts, specific details about the scope of attacks or the identity of threat actors have not been disclosed. The company has directly notified and provided cleanup guidance to all affected customers, stating that organizations who haven't been contacted face no exposure.
