Everything you need to know about the Microsoft Power Pages vulnerability
Microsoft has fixed an escalation of privileges flaw in its SaaS web development platform


A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
The company noted that it has remedied the high severity flaw associated with how the SaaS platform handles access permissions and potentially leaving a backdoor for malicious actors.
CVE-2025-24989 is described as an improper access vulnerability in the National Vulnerability Database designated as high severity with a score of 8.2 in the CVSS.
It could potentially allow an unauthorized attacker to elevate privileges over a network, bypass the platform’s user registration controls, and access restricted information or modify sensitive files.
Microsoft said the vulnerability has already been mitigated and all affected customers have been notified with instructions on how to assess if their sites are open to potential exploitation.
The security bulletin notes that it has detected threat actors exploiting the flaw in the wild but did not provide any further information.
Ben McCarthy, lead cyber security engineer at Immersive, outlined how these flaws arise in platforms like Power Pages.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“These vulnerabilities occur in SaaS platforms when attackers can find pathways through the platform's logic that have not been fully tested by the SaaS platform owners,” he said “Often done by chaining APIs together or using the platform functionality in an unexpected order, attackers can bypass certain protections put in place if users follow the usual steps taken on the platform.”
How to address the Power Pages vulnerability
McCarthy noted that Microsoft was fairly quick to address the issue before potentially wider exploitation was possible.
“However, having the level of monitoring that Microsoft can supply these platforms created through Power Pages, they quickly found the vulnerability and have mitigated it," he added.
"This means this vulnerability is no longer present in Power Pages websites, and for the organisations and individuals that have been affected by the vulnerability, Microsoft has notified and worked with them to properly contain and deal with the intrusion.”
RELATED WHITEPAPER
Businesses that have not been notified are not affected by the vulnerability, Microsoft stated, but those who have should make a number of precautionary checks to ensure they are safe.
This includes reviewing your user access logs to establish if there has been any unauthorized access that Microsoft may have missed, as well as ensuring your Power Pages environment is protected with multi-factor authentication and monitoring through the Power Pages Admin Center.
MORE FROM ITPRO
- Flaws in a popular dev library could let hackers run malicious code in your MongoDB database
- A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
- Warning issued after SharePoint flaw puts entire corporate networks at risk

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
RSAC Conference 2025: The front line of cyber innovation
ITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job losses
News With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change that
News CrowdStrike and Microsoft hope to "bring clarity and coordination" to the cyber industry by unifying threat group naming conventions.
-
A flaw in OneDrive’s File Picker feature could give access to hundreds of apps
News The OneDrive File Picker flaw could affect hundreds of apps, researchers warn
-
Microsoft ramps up zero trust capabilities amid agentic AI push
News The move from Microsoft looks to bolster agent security and prevent misuse
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptake
News Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to know
News A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.