PromptRiskDBThreat intelligence atlas

CVE-2025-24989 - Microsoft Power Pages

AI Vulnerability Context

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for...

Overview

A source-backed snapshot of this vulnerability.

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

CISA KEVyesWhether CISA lists this as exploited.
Techniques0AI attack methods connected to this vulnerability.
Case studies0Examples where this vulnerability is mentioned.

Vulnerability status

How serious this vulnerability is and whether it is known to be exploited.

CISA KEVHIGH
CVE ID
CVE-2025-24989
Vendor/project
Microsoft
Product
Power Pages
Vulnerability name
Microsoft Power Pages Improper Access Control Vulnerability
Date added
2025-02-21
Due date
2025-03-14
Known ransomware campaign use
Unknown
CVSS v3
8.2
CWE-284

Exploit context

What the vulnerability is about.

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

Source evidence

Original public records and references for this page.

Original source

Original source links

Open the public records and source datasets used for this page.