- Microsoft recently found and patched a high-severity bug in Power Pages
- The bug allowed malicious actors to log into target websites
- The vulnerability was fixed, but Microsoft warns potential victims to be on guard
Microsoft has fixed a high-severity vulnerability in its Power Pages product, and has warned users to be on the lookout for signs of exploitation.
The company recently published details about CVE-2025-24989, an improper access control vulnerability in Power Pages, which allows unauthorized attackers to elevate privileges over a network, potentially bypassing the user registration control. In other words, unauthorized attackers could use the vulnerability to log into other people’s websites. It was given a severity score of 8.2/10 (high).
We don’t know who is behind the attack, or how many websites are affected. According to Microsoft, Power Pages has more than 250 million active website users on a monthly basis including Britain’s National Health Service.
Patched flaws
Microsoft Power Pages is a low-code platform for building secure, data-driven websites, enabling users to create and customize sites with drag-and-drop simplicity while integrating with other Microsoft services like Power Automate and Dataverse.
It is designed for businesses and organizations that need external-facing portals for customers, partners, or employees without requiring extensive coding expertise. It is a Software-as-a-Service (SaaS), meaning all patches and updates are done by Microsoft on its servers.
The company already deployed the patch, but that doesn’t mean the trouble is gone. Apparently, cybercriminals discovered the flaw before Microsoft did, and used it to access at least a few websites. It is impossible to know what they did with the access. They could redirect people to malicious websites, serve malvertising, steal data, and more.
The company warned some users to be careful and look for signs of exploitation.
“This vulnerability has already been mitigated in the service and all affected customers have been notified,” Microsoft said. “Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.”
Via The Register
Leave a comment