CVE-2025-24989
HIGH KEVMicrosoft Power Pages - Unauthenticated Privilege Escalation via Registration Control Bypass
Title source: llmExploitation Summary
CVE-2025-24989 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 21, 2025.
Description
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.
References (2)
Core 2
Core References
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24989
Patch, Vendor Advisory vendor-advisory
patch
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989
Scores
CVSS v3
8.2
EPSS
0.3162
EPSS Percentile
96.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2025-02-21
VulnCheck KEV
2025-02-19
ENISA EUVD
EUVD-2025-4642
CWE
CWE-284
Status
published
Products (1)
microsoft/power_pages
Published
Feb 19, 2025
KEV Added
Feb 21, 2025
Tracked Since
Feb 18, 2026