CVE-2025-21355

High

Published: 19 February 2025

Published

19 February 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0696 91.5th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21355 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microsoft Bing. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-8 (Identification and Authentication (Non-organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly addresses missing authentication for critical functions by explicitly identifying and limiting permitted actions without identification or authentication.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires unique identification and authentication for non-organizational users, preventing unauthorized network access to critical functions in public-facing services like Microsoft Bing.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws such as this missing authentication vulnerability through testing and patching.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a missing authentication for a critical function in the public-facing Microsoft Bing service, directly enabling unauthenticated remote code execution over the network with no privileges or user interaction required, which maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network

Deeper analysisAI

CVE-2025-21355 is a missing authentication for a critical function vulnerability affecting Microsoft Bing. Published on 2025-02-19, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-306 (Missing Authentication for Critical Function), with additional NVD-CWE-noinfo classification.

An unauthorized attacker with network access can exploit this vulnerability due to low attack complexity, requiring no privileges, user interaction, or special conditions. Successful exploitation allows remote code execution, achieving high confidentiality impact with a change in scope.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355 provides details on mitigation and patches.

Details

CWE(s): CWE-306 NVD-CWE-noinfo

Affected Products

microsoft

bing

all versions

CVEs Like This One

CVE-2026-33819Same product: Microsoft Bing

CVE-2026-26120Same product: Microsoft Bing

CVE-2026-32186Same product: Microsoft Bing

CVE-2025-59246Same vendor: Microsoft

CVE-2026-23662Same vendor: Microsoft

CVE-2026-26125Same vendor: Microsoft

CVE-2026-32211Same vendor: Microsoft

CVE-2026-20856Same vendor: Microsoft

CVE-2025-21385Same vendor: Microsoft

CVE-2025-24043Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355
Patch, Vendor Advisory · secure@microsoft.com