Back to KEVs

CVE-2025-24989

Microsoft Power Pages Elevation of Privilege Vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
January 30, 2025
Published Date
February 19, 2025
Last Updated
March 12, 2025
Vendor
Microsoft
Product
Microsoft Power Pages
Description
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

CVSS Scores

CVSS v3.1

8.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2025-02-21 00:00:00 UTC) Source

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

Known Exploited Vulnerability Information

Source Added Date
CISA 2025-02-21 00:00:00 UTC