Everything you need to know about the Microsoft Power Pages vulnerability
Microsoft has fixed an escalation of privileges flaw in its SaaS web development platform
A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
The company noted that it has remedied the high severity flaw associated with how the SaaS platform handles access permissions and potentially leaving a backdoor for malicious actors.
CVE-2025-24989 is described as an improper access vulnerability in the National Vulnerability Database designated as high severity with a score of 8.2 in the CVSS.
It could potentially allow an unauthorized attacker to elevate privileges over a network, bypass the platform’s user registration controls, and access restricted information or modify sensitive files.
Microsoft said the vulnerability has already been mitigated and all affected customers have been notified with instructions on how to assess if their sites are open to potential exploitation.
The security bulletin notes that it has detected threat actors exploiting the flaw in the wild but did not provide any further information.
Ben McCarthy, lead cyber security engineer at Immersive, outlined how these flaws arise in platforms like Power Pages.
“These vulnerabilities occur in SaaS platforms when attackers can find pathways through the platform's logic that have not been fully tested by the SaaS platform owners,” he said “Often done by chaining APIs together or using the platform functionality in an unexpected order, attackers can bypass certain protections put in place if users follow the usual steps taken on the platform.”
How to address the Power Pages vulnerability
McCarthy noted that Microsoft was fairly quick to address the issue before potentially wider exploitation was possible.
“However, having the level of monitoring that Microsoft can supply these platforms created through Power Pages, they quickly found the vulnerability and have mitigated it," he added.
"This means this vulnerability is no longer present in Power Pages websites, and for the organisations and individuals that have been affected by the vulnerability, Microsoft has notified and worked with them to properly contain and deal with the intrusion.”
RELATED WHITEPAPER
Businesses that have not been notified are not affected by the vulnerability, Microsoft stated, but those who have should make a number of precautionary checks to ensure they are safe.
This includes reviewing your user access logs to establish if there has been any unauthorized access that Microsoft may have missed, as well as ensuring your Power Pages environment is protected with multi-factor authentication and monitoring through the Power Pages Admin Center.
MORE FROM ITPRO
- Flaws in a popular dev library could let hackers run malicious code in your MongoDB database
- A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
- Warning issued after SharePoint flaw puts entire corporate networks at risk
-
Anthropic promises ‘Opus-level’ reasoning with new Claude Sonnet 4.6 modelNews The latest addition to the Claude family is explicitly intended to power AI agents, with pricing and capabilities designed to attract enterprise attention
-
Researchers call on password managers to beef up defensesNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point
-
Microsoft warns of rising AitM phishing attacks on energy sector
News The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Microsoft just took down notorious cyber crime marketplace RedVDS – and found hackers were using ChatGPT and its own Copilot tool to wage attacks
News Microsoft worked closely with law enforcement to take down the notorious RedVDS cyber crime service – and found tools like ChatGPT and its own Copilot were being used by hackers.
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
These Microsoft Teams security features will be turned on by default this month – here's what admins need to know
News From 12 January, weaponizable file type protection, malicious URL detection, and a system for reporting false positives will all be automatically activated.
