CVE-2025-24989
published 2025-02-19CVE-2025-24989: An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-14
Exploited in the wild
EPSS
1.66%
73.7th percentile
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_power_pages | — | — |
| msrc | microsoft_power_pages | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability involves bypassing user registration control in Microsoft Power Pages to elevate privileges over a network — review site audit logs for unauthorized account registrations or privilege escalations ↗
- →Exploitation has been detected in the wild — treat any anomalous new user registrations or privilege changes in Power Pages environments as potentially malicious ↗
- →Affected customers were individually notified by Microsoft; if no notification was received, the environment is not affected — use this as a scoping signal during triage ↗
- ·The vulnerability has already been mitigated server-side by Microsoft; no customer patch action is required for remediation, but site-level review for post-exploitation artifacts is still required ↗
- ·Customer action IS required — affected customers must review their sites for signs of exploitation and perform cleanup per Microsoft's instructions ↗
- ·CISA BOD 22-01 guidance for cloud services applies; remediation due date for federal agencies was 2025-03-14 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.2HIGH
cisa9.8CRITICAL
vendor_msrc8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pxjr-976r-24r6: An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the
ghsa_unreviewed·2025-02-20
CVE-2025-24989 [HIGH] CWE-284 GHSA-pxjr-976r-24r6: An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
This vulnerability has already been mitigated in the service and all affected cusomters have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.
VulnCheck
Microsoft Power Pages Improper Access Control Vulnerability
vulncheck·2025·CVSS 8.2
CVE-2025-24989 [HIGH] CWE-284 Microsoft Power Pages Improper Access Control Vulnerability
Microsoft Power Pages Improper Access Control Vulnerability
Microsoft Power Pages contains an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
Affected: Microsoft Power Pages
Required Action: Apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2025-Feb; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.enisa.europa.eu/sites/default/files/2025-10/ENISA%20Threat%20Landscape%202025.pdf; ht
CISA
Microsoft Power Pages Improper Access Control Vulnerability
cisa·2025-02-21·CVSS 9.8
CVE-2025-24989 [CRITICAL] CWE-284 Microsoft Power Pages Improper Access Control Vulnerability
Vulnerability: Microsoft Power Pages Improper Access Control Vulnerability
Affected: Microsoft Power Pages
Microsoft Power Pages contains an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
Required Action: Apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-24989 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24989
Remediation Due Date: 2025-03-14
Microsoft
Microsoft Power Pages Elevation of Privilege Vulnerability
vendor_msrc·2025-02-11·CVSS 8.2
CVE-2025-24989 [HIGH] CWE-284 Microsoft Power Pages Elevation of Privilege Vulnerability
Microsoft Power Pages Elevation of Privilege Vulnerability
Description: An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.
Microsoft Power Pages: Microsoft Power Pages
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Softw
No detection rules found.
No public exploits indexed.
2025-02-19
Published
2025-02-21
Added to CISA KEV
Exploited in the wild