← CIO Briefings · Critical Impact ACTION REQUIRED

Critical Microsoft Bing Vulnerability Allows Unauthenticated Remote Takeover — Apply April Patches Immediately

A maximum-severity vulnerability in Microsoft Bing allows attackers with no account or credentials to take full control of affected systems over the internet. Microsoft has released a patch as part of April 2026 updates — all organisations should apply immediately and verify that enterprise search infrastructure is updated.

2 min read

Situation

Microsoft has patched a maximum-severity security flaw in Bing — its search platform — that received the highest possible risk score of 10.0 out of 10. The vulnerability allows an attacker anywhere on the internet to take complete control of affected systems without needing an account, password, or any assistance from a user. No workaround exists — the only remedy is applying Microsoft’s April 2026 update.

The same underlying technology that powers Bing’s backend is also integrated into Microsoft 365 Copilot, Azure cloud services, and enterprise internal search tools. Organisations running on-premises Microsoft search infrastructure face the highest immediate risk.

Business Risk

This class of vulnerability — no credentials required, no user action needed, maximum severity — is the highest-risk category in enterprise security. If exploited before patching, an attacker could gain complete control of affected servers, access sensitive business data indexed by the search platform, or use compromised infrastructure as a foothold into the broader network.

The risk extends beyond Bing itself. Any enterprise system connected to the affected backend — including productivity and AI assistant services built on Microsoft’s search infrastructure — may be affected until the patch is applied. Organisations that have not applied the April 2026 Microsoft updates should assume this vulnerability is unpatched across their estate.

  • Apply Microsoft’s April 2026 security updates immediately — direct your IT and security teams to prioritise this patch above the regular patching cycle; no workaround is available and every day unpatched is a day of exposure.
  • Verify on-premises Microsoft search deployments — if your organisation runs internal Microsoft search, intranet portals, or enterprise search powered by Bing technology, confirm with your IT team that those systems have been updated.
  • Request a patch status report within 24 hours — ask your security operations team to confirm which systems are updated and which remain outstanding; escalate any blockers to patching.
  • Review cyber insurance policy thresholds — a CVSS 10.0 actively exploitable vulnerability in widely deployed infrastructure is precisely the scenario most policies flag; confirm your insurer’s notification requirements and timeline.