Microsoft fixes Power Pages zero-day bug exploited in attacks

Microsoft has issued a security bulletin for a high-severity elevation of privilege vulnerability in Power Pages, which hackers exploited as a zero-day in attacks. The flaw, tracked as CVE-2025-24989, is an improper access control problem impacting Power Pages, allowing unauthorized actors to elevate their privileges over a network and bypass user registration controls. Microsoft says it has addressed the risk at the service level and notified impacted customers accordingly, enclosing instructions on how to detect potential compromise. "This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass," reads Microsoft's security bulletin. "Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you." Microsoft Power Pages is a low-code, SaaS-based web develop ... Read full article.