Microsoft on Wednesday informed customers that it has patched a Power Pages vulnerability that has been exploited in attacks.
Microsoft Power Pages is a low-code SaaS platform designed for creating, hosting and managing business websites.
The flaw addressed by Microsoft, tracked as CVE-2025-24989 and described as a critical improper access control issue, allows an attacker to “elevate privileges over a network potentially bypassing the user registration control”.
Customers do not need to install patches, but some users may have to check their instances for signs of compromise.
“This vulnerability has already been mitigated in the service and all affected customers have been notified,” Microsoft said in its advisory. “Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.”
The tech giant has not shared any information on the attacks involving exploitation of CVE-2025-24989.
SecurityWeek has reached out to Microsoft for information on the attacks and will update this article if the company responds.
Microsoft’s advisory credits one of the company’s employees for reporting the vulnerability.
The news comes a few months after researchers discovered misconfigured implementations of Microsoft Power Pages that could expose confidential data.
Related: Microsoft Patches ‘Wormable’ Windows Flaw and File-Deleting Zero-Day
Related: Microsoft Expands Copilot Bug Bounty Program, Increases Payouts
Related: Microsoft Patches Exploited Vulnerability in Partner Network Website
