Feb 2025: Microsoft Power Pages Elevation of Privilege Vulnerability
CVE-2025-24989 Published on February 19, 2025
Microsoft Power Pages Elevation of Privilege Vulnerability
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.
Known Exploited Vulnerability
This Microsoft Power Pages Improper Access Control Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Microsoft Power Pages contains an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
The following remediation steps are recommended / required by March 14, 2025: Apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-24989 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2025-24989
Want to know whenever a new CVE is published for Microsoft Power Pages? stack.watch will email you.
Affected Versions
Microsoft Power Pages Version - is affected by CVE-2025-24989Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.