cbcvebase.
CVE-2025-24989
published 2025-02-19

CVE-2025-24989: An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-14
Exploited in the wild
EPSS
1.66%
73.7th percentile
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_power_pages
msrcmicrosoft_power_pages

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability involves bypassing user registration control in Microsoft Power Pages to elevate privileges over a network — review site audit logs for unauthorized account registrations or privilege escalations
  • Exploitation has been detected in the wild — treat any anomalous new user registrations or privilege changes in Power Pages environments as potentially malicious
  • Affected customers were individually notified by Microsoft; if no notification was received, the environment is not affected — use this as a scoping signal during triage
  • ·The vulnerability has already been mitigated server-side by Microsoft; no customer patch action is required for remediation, but site-level review for post-exploitation artifacts is still required
  • ·Customer action IS required — affected customers must review their sites for signs of exploitation and perform cleanup per Microsoft's instructions
  • ·CISA BOD 22-01 guidance for cloud services applies; remediation due date for federal agencies was 2025-03-14

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.2HIGH
cisa9.8CRITICAL
vendor_msrc8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.