Microsoft has addressed a zero-day vulnerability (CVE-2025-24989) in its Power Pages platform that could allow unauthorized attackers to elevate privileges over a network by bypassing the user registration control mechanism. This flaw, rated CVSS 8.2, could have exposed business websites built on Power Pages to security breaches, potentially granting unauthorized users elevated access to sensitive content and administrative functions.
Power Pages is a low-code software as a service (SaaS) platform designed to help businesses quickly create and host external-facing websites with enterprise-grade security. The improper access control vulnerability discovered in Power Pages allowed attackers to bypass user registration controls, escalating their privileges without authorization.
While Microsoft has confirmed that the issue has been fully mitigated, the exploit could have led to unauthorized control over business portals, posing risks such as data exfiltration, unauthorized modifications, or account takeovers.
Microsoft has taken swift action to resolve the vulnerability, ensuring that all affected customers were notified. A security update has been implemented to fix the registration control bypass, and affected organizations have been provided with remediation steps to assess any potential exploitation.
According to Microsoft: “This vulnerability has already been mitigated in the service and all affected cusomters have been notified… If you’ve not been notified this vulnerability does not affect you.”
The company urges Power Pages users to review their sites for any signs of unauthorized access and implement any additional cleanup procedures recommended by Microsoft.
Related Posts:
- Infoblox Uncovers Malicious Wave in .US Domain Registrations
- Google open .app suffix top-level domain registration
- Security flaws in critical infrastructure software could have meant disaster
- PyPI Takes Emergency Measures to Combat Malicious Package Flood
