CVE-2025-24989

Published: Feb 19, 2025

Modified: Feb 13, 2026

PUBLISHED

CVSS v3.1

8.2

HIGH

Description

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

Vendor	Product	Versions
Microsoft	Microsoft Power Pages	affected `-`

Weaknesses (CWE)

CWE-284

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

References

Microsoft Power Pages Elevation of Privilege Vulnerability

vendor-advisory

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-24989

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References