KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

8.2

CVSS
High

CVE-2025-24989

PUBLISHED

Microsoft Power Pages Elevation of Privilege Vulnerability

Exploited in the wild Remote Low complexity No user interaction

Vendor: Microsoft
Product: Microsoft Power Pages
Published: Feb 19, 2025
EPSS: —

Description

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

windows cisa microsoft

CVSS scores

CVSS v3.1 8.2 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C

Exploitation status

Exploited in the wild

Recorded 2025-02-21 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: No
Technical impact: total

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Feb 21, 2025

Timeline

CVE ID Reserved

January 30, 2025
CVE Published to Public

February 19, 2025
Added to KEVIntel

February 21, 2025