Microsoft has issued a security bulletin for a high-severity elevation of privilege vulnerability in Power Pages, which hackers exploited as a zero-day in attacks.
The flaw, tracked as CVE-2025-24989, is an improper access control problem impacting Power Pages, allowing unauthorized actors to elevate their privileges over a network and bypass user registration controls.
Microsoft says it has addressed the risk at the service level and notified impacted customers accordingly, enclosing instructions on how to detect potential compromise.
“This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass,” reads Microsoft’s security bulletin.
“Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.”
Microsoft Power Pages is a low-code, SaaS-based web development platform that allows users to create, host, and manage secure external-facing business websites.
It is part of the Microsoft Power Platform, which includes tools like Power BI, Power Apps, and Power Automate.
Since Power Pages is a cloud-based service, it can be assumed that exploitation occurred remotely.
The software giant has not provided details about how the flaw was exploited in attacks.
In addition to the Power Pages flaw, Microsoft also fixed a Bing remote code execution vulnerability yesterday, which is tracked as CVE-2025-21355 but has not been marked as exploited.
Problem fixed, but checks required
Microsoft has already applied fixes to the Power Pages service, and the vendor has privately shared guidance directly with impacted clients. Still, there are some generic security advice users may consider.
Admins should review activity logs for suspicious actions, user registrations, or unauthorized changes.
Since CVE-2025-24989 is an elevation of privilege bug, user lists should also be scrutinized to verify administrators and high-privileged users.
Recent changes in privileges, security roles, permissions, and web page access controls should be examined further.
Rogue accounts or those showing unauthorized activity should be immediately revoked, affected credentials should be reset, and multi-factor authentication (MFA) should be enforced across all accounts.
If you weren’t notified by Microsoft, your system was likely not affected.
