CVE-2025-24989: Microsoft Power Pages Elevation of Privilege Vulnerability

8.2 CVSS

Description

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
This vulnerability has already been mitigated in the service and all affected cusomters have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

Known Exploited

🚨 Marked as known exploited on February 21st, 2025 (about 2 months ago).

Classification

CVE ID: CVE-2025-24989

CVSS Base Severity: HIGH

CVSS Base Score: 8.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C

Affected Products

Vendor: Microsoft

Product: Microsoft Power Pages

Exploit Prediction Scoring System (EPSS)

EPSS Score: 25.72% (probability of being exploited)

EPSS Percentile: 95.81% (scored less or equal to compared to others)

EPSS Date: 2025-03-20 (when was this score calculated)

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

Timeline

2025-02-20 00:31:07 UTC
CVE

Microsoft Power Pages Elevation of Privilege Vulnerability
2025-02-21 15:15:14 UTC
CISA KEV

Microsoft Power Pages Improper Access Control Vulnerability
2025-02-21 15:16:41 UTC
🚨 Marked as Known Exploited
2025-02-21 16:45:25 UTC
All CISA Advisories

CISA Adds One Known Exploited Vulnerability to Catalog