CVE-2026-32194

CRITICAL

Microsoft Bing Images Remote Code Execution Vulnerability

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-32194. PoCs published by z3r0h3ro.

AI-analyzed exploit summary The repository claims to provide a PoC for CVE-2026-32194 but lacks actual exploit code, instead directing users to an external download link. The README contains technical details but no functional code.

Description

Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.

Exploits (1)

nomisec SUSPICIOUS

by z3r0h3ro · poc

https://github.com/z3r0h3ro/CVE-2026-32194-POC

View Code ZIP pw:eip

The repository claims to provide a PoC for CVE-2026-32194 but lacks actual exploit code, instead directing users to an external download link. The README contains technical details but no functional code.

Classification

Suspicious 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Microsoft Bing Images

No auth needed

Prerequisites: JPEG with crafted EXIF/IPTC block · Bing image preview/thumbnail generation endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 21, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

Microsoft Bing Images Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194

Scores

CVSS v3 9.8

EPSS 0.0012

EPSS Percentile 31.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-77

Status published

Products (2)

microsoft/bing_images

Microsoft/Microsoft Bing Images -

Published Mar 19, 2026

Tracked Since Mar 20, 2026