Improper Access Control in Microsoft Power Pages
CVE-2025-24989

9.8CRITICAL

Key Information:

Vendor
Microsoft
Status
Microsoft Power Pages
Vendor
CVE Published:
19 February 2025

Badges

πŸ“ˆ Score: 805πŸ‘Ύ Exploit ExistsπŸ¦… CISA ReportedπŸ“° News Worthy

What is CVE-2025-24989?

CVE-2025-24989 is a significant vulnerability found in Microsoft Power Pages, a platform designed for creating and managing web applications. This vulnerability involves improper access control, which means that unauthorized attackers could potentially elevate their privileges and gain access to restricted areas of the application. Such an exploit could severely compromise the integrity and confidentiality of data, impacting organizations that rely on Power Pages for their web applications.

Technical Details

The core of CVE-2025-24989 lies in its improper access control mechanisms. This flaw allows attackers to bypass the standard user registration controls implemented within Microsoft Power Pages, granting them elevated privileges over the network. Microsoft has acknowledged this vulnerability and has subsequently mitigated it through an update, providing affected customers with instructions to review and secure their sites from potential exploitation.

Potential Impact of CVE-2025-24989

  1. Unauthorized Access: Attackers could gain elevated privileges, allowing them to access sensitive data or perform unauthorized actions within the application, which can lead to data breaches.

  2. Data Integrity Risks: With elevated privileges, an attacker could manipulate or delete critical data, undermining the integrity of the application and potentially disrupting organizational operations.

  3. Reputational Damage: Organizations affected by this vulnerability could face significant reputational harm if data breaches occur, resulting in loss of customer trust and potential legal repercussions.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Microsoft Power Pages Unknown

News Articles

favicon imageITPro

Everything you need to know about the Microsoft Power Pages vulnerability

A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.

5 days ago

favicon imageBleepingComputer

Microsoft fixes Power Pages zero-day bug exploited in attacks

Microsoft has issued a security bulletin for a high-severity elevation of privilege vulnerability in Power Pages, which hackers exploited as a zero-day in attacks.

6 days ago

favicon imageSecurity Affairs

Microsoft fixed actively exploited flaw in Power Pages

Microsoft addressed a privilege escalation vulnerability in Power Pages, the flaw is actively exploited in attacks.

6 days ago

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ¦…

    CISA Reported

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.