CVE-2025-24989

HIGH KEV

Power Pages - Privilege Escalation

Title source: llm

Description

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

References (2)

[Patch, Vendor Advisory] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24989

Scores

CVSS v3 8.2

EPSS 0.3162

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Details

CISA KEV 2025-02-21

VulnCheck KEV 2025-02-19

ENISA EUVD EUVD-2025-4642

CWE

CWE-284

Status published

Products (1)

microsoft/power_pages

Published Feb 19, 2025

KEV Added Feb 21, 2025

Tracked Since Feb 18, 2026