CVE-2025-24989 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Microsoft Power Pages Improper Access Control Vulnerability

Exploit added

February 21, 2025

Action due

March 14, 2025

Action required

Apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

Weakness Enumeration

CWE-ID	CWE Name
CWE-284	Improper Access Control

Details

Source:
NVD

Published:
February 19, 2025

Updated:
February 22, 2025

Risk information

CVSS v3

Base score:
8.2

Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CVSS v2

Not defined