Summary:
Microsoft recently addressed an elevation-of-privilege vulnerability in its Power Pages platform, which the vendor confirms was exploited as a zero-day in attacks in the wild. Power Pages is a low-code, Software-as-a-Service (SaaS) platform that allows organizations to build, host, and manage business websites with ease. The vulnerability in question, tracked as CVE-2025-24989, stems from improper access controls in Power Pages' user registration system. Specifically, the flaw allows unauthorized actors to elevate privileges over a network, potentially bypassing the user registration control.

Security Officer Comments:
Although Microsoft has not disclosed specific details regarding the exploitation attempts, this vulnerability could enable attackers to gain unauthorized access, potentially leading to the compromise of business-critical data from websites built/hosted using Power Pages. It could also enable actors the ability to inject malicious code into victims’ sites, in turn infecting end users. Overall, this vulnerability poses a significant security risk for organizations relying on Power Pages for web hosting and business operations, as it could lead to a breach of sensitive customer information, financial data, or internal communications.

Suggested Corrections:
Microsoft has emphasized that only notified organizations need to take action, as mitigations have been automatically applied to vulnerable instances. However, organizations should still conduct comprehensive access control reviews to verify that unauthorized users have not gained elevated privileges within the platform. Additionally, regular monitoring and auditing of user activity, along with the implementation of extra security measures like multi-factor authentication, will help strengthen defenses against potential attacks.

Link(s):
https://www.securityweek.com/microsoft-patches-exploited-power-pages-vulnerability/