Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
Published: 2026-03-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Microsoft Bing Images has a flaw where special elements used in command construction are not properly neutralized, allowing attackers to inject arbitrary commands. The vulnerability enables execution of code on the target system, potentially compromising application integrity, confidentiality, and availability. Since the issue is a classic command injection, a successful attack could grant an attacker full control over the affected service or the underlying host.

Affected Systems

Microsoft Bing Images is the affected product. No specific version information is disclosed. Administrators should verify which instances of Bing Images are deployed and identify the exact version to determine whether they are exposed.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% suggests that public exploitation is currently limited and the vulnerability is not in the CISA KEV catalog. The likely attack vector is network-based, where an unauthenticated attacker sends crafted requests to the Bing Images service to trigger the command injection. Because arbitrary commands can be executed, the risk to the system and data is significant if the exploit succeeds.

Generated by OpenCVE AI on April 14, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for Bing Images referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194
  • Verify that the patched version is running on all affected systems
  • If immediate patching is not feasible, restrict network access to the Bing Images service using firewall rules or disable the feature entirely
  • Monitor inbound traffic for suspicious request patterns that may indicate attempts to exploit command injection

Generated by OpenCVE AI on April 14, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:bing_images:-:*:*:*:*:*:*:*

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
Title Microsoft Bing Images Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft bing Images
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:bing_images:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft bing Images
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Bing Images
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-14T16:36:33.188Z

Reserved: 2026-03-11T00:26:53.427Z

Link: CVE-2026-32194

cve-icon Vulnrichment

Updated: 2026-03-20T20:17:16.304Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:41.130

Modified: 2026-04-14T16:35:28.323

Link: CVE-2026-32194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses