Microsoft patches actively exploited flaw in Power Pages platform
Take action: This is an FYI advisory - the flaw was in the search engine systems, so you as customers can't do much to fix it. If you are an enterprise user, you may want to reach out to Microsoft for confirmation of any impact to your organization.
Learn More
Microsoft has fixed an actively exploited security vulnerability affecting their Power Pages platform. Microsoft Power Pages is a low-code platform that allows users to create, host, and manage external-facing business websites quickly and easily, using customizable templates and a visual design studio.
The flaw is tracked as CVE-2025-24989 (CVSS score 8.2) - an Elevation of Privilege vulnerability in Microsoft Power Pages, discovered by Microsoft. This vulnerability involves improper access control in the low-code platform used for creating and managing secure business websites. Attackers could exploit this flaw to elevate privileges over a network and bypass user registration controls.
Microsoft has confirmed that CVE-2025-24989 has been actively exploited in the wild, marking it with an "Exploitation Detected" assessment. The company has not disclosed specific details about the nature or scale of these attacks, the identity of the threat actors, or the targeted victims.
The company has mitigated the Power Pages vulnerability in their service and has notified all affected customers. These customers have received specific instructions for reviewing their sites for potential exploitation and cleanup procedures. Microsoft has emphasized that if customers haven't been notified, their systems are not affected by this vulnerability.
