Microsoft fixes Power Pages security flaw, tells users to be on their guard

News
By
published

Microsoft warns of vulnerability being exploited in the wild

The best free firewall
(Image credit: Shutterstock)
  • Microsoft recently found and patched a high-severity bug in Power Pages
  • The bug allowed malicious actors to log into target websites
  • The vulnerability was fixed, but Microsoft warns potential victims to be on guard

Microsoft has fixed a high-severity vulnerability in its Power Pages product, and has warned users to be on the lookout for signs of exploitation.

The company recently published details about CVE-2025-24989, an improper access control vulnerability in Power Pages, which allows unauthorized attackers to elevate privileges over a network, potentially bypassing the user registration control. In other words, unauthorized attackers could use the vulnerability to log into other people’s websites. It was given a severity score of 8.2/10 (high).

We don’t know who is behind the attack, or how many websites are affected. According to Microsoft, Power Pages has more than 250 million active website users on a monthly basis including Britain’s National Health Service.

Patched flaws

Microsoft Power Pages is a low-code platform for building secure, data-driven websites, enabling users to create and customize sites with drag-and-drop simplicity while integrating with other Microsoft services like Power Automate and Dataverse.

It is designed for businesses and organizations that need external-facing portals for customers, partners, or employees without requiring extensive coding expertise. It is a Software-as-a-Service (SaaS), meaning all patches and updates are done by Microsoft on its servers.

The company already deployed the patch, but that doesn’t mean the trouble is gone. Apparently, cybercriminals discovered the flaw before Microsoft did, and used it to access at least a few websites. It is impossible to know what they did with the access. They could redirect people to malicious websites, serve malvertising, steal data, and more.

The company warned some users to be careful and look for signs of exploitation.

“This vulnerability has already been mitigated in the service and all affected customers have been notified,” Microsoft said. “Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.”

Via The Register

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
An American flag flying outside the US Capitol building against a blue sky

US government reveals new cybercrime unit targeting AI fraud, crypto and other scams
A close-up of an interent search bar with 'http://ww' visible

Major website hijacking scam sees over 35,000 sites attacked, redirected to gambling sites, so be on your guard
YouTube

A cheaper YouTube Premium Lite tier could roll out soon – and as a Spotify fan I'm ready to sign up
See more latest