Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
The attack mechanism is based on CWE-502 error — deserialization of untrusted input data. The attacker sends a crafted payload to the vulnerable Microsoft Bing component, which then deserializes its contents without proper validation. This leads to the application executing malicious code supplied by the attacker. The attack does not require authentication, user interaction, or special privileges, and its scope extends beyond the boundary of the directly attacked component (Scope: Changed).
An attacker can gain full control over the vulnerable system, including confidentiality, integrity, and availability of data — which corresponds to the maximum impact level in all three CVSS categories. Successful exploitation of the vulnerability can lead to environment takeover, data theft, or further lateral movement in the infrastructure.
Patches available from the vendor should be applied in accordance with the references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819. If immediate patch deployment is not possible, it is recommended to restrict network access to vulnerable components and increase monitoring of network traffic for anomalies.
Microsoft Bing — versions indicated in vendor references (Microsoft Security Response Center)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMicrosoft Bing
APPMicrosoftwszystkie wersje
Related vulnerabilities
SSRF w Microsoft Bing umożliwia eskalację uprawnień przez sieć
Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code...
User interface (ui) misrepresentation of critical information in Microsoft Bing allows an unauthorized attacke...
Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over...
Microsoft Bing Search Spoofing Vulnerability