Microsoft has issued a security bulletin for a high-severity elevation of privilege vulnerability in Power Pages, which hackers exploited as a zero-day in attacks.
The flaw, tracked as CVE-2025-24989, is an improper access control problem impacting Power Pages, allowing unauthorized actors to elevate their privileges over a network and bypass user registration controls.
Microsoft says it has addressed the risk at the service level and notified impacted customers accordingly, enclosing instructions on how to detect potential compromise.
"This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass," reads Microsoft's security bulletin.
"Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you."
Microsoft Power Pages is a low-code, SaaS-based web development platform that allows users to create, host, and manage secure external-facing business websites.
It is part of the Microsoft Power Platform, which includes tools like Power BI, Power Apps, and Power Automate.
Since Power Pages is a cloud-based service, it can be assumed that exploitation occurred remotely.
The software giant has not provided details about how the flaw was exploited in attacks.
In addition to the Power Pages flaw, Microsoft also fixed a Bing remote code execution vulnerability yesterday, which is tracked as CVE-2025-21355 but has not been marked as exploited.
... continue reading