CVE-2025-24989 HIGH

CVE-2025-24989: Microsoft Power Pages Elevation of Privilege Vulnerability

Vendor Microsoft

Product Microsoft Power Pages

Weakness CWE-284

KEV Status Known Exploited

Published February 19, 2025

Last update February 13, 2026

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C

What the vulnerability does

01Description

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

February 19, 2025 CVE published

February 13, 2026 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-24989 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html CISA KEV Reference https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-202… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2025-24989

Related vulnerabilities

CVE-2025-24989: Microsoft Power Pages Elevation of Privilege Vulnerability

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE