Microsoft has addressed a zero-day privilege escalation vulnerability in Power Pages, which had already been actively exploited in real-world attacks. The flaw, identified as CVE-2025-24989, stemmed from improper access control, enabling attackers to bypass user registration mechanisms and escalate privileges remotely over the network.
The company has confirmed that the vulnerability was remediated at the service level, and affected users have been notified with instructions on how to check for potential signs of compromise. Microsoft’s statement highlights that the patch effectively mitigates the registration control bypass issue.
Power Pages is a low-code cloud platform designed to facilitate the creation and management of secure external business websites. It is part of the Microsoft Power Platform ecosystem, alongside Power BI, Power Apps, and Power Automate. Given that Power Pages operates in the cloud, the attack was likely conducted remotely.
Microsoft has not disclosed technical details regarding the exploitation of the vulnerability. However, users are advised to review activity logs for signs of suspicious registrations, unauthorized role modifications, or privilege escalations. Additionally, a thorough audit of user and administrator accounts should be conducted to identify any illicit privilege elevation attempts.
Alongside this fix, Microsoft has also patched another high-risk vulnerability—a remote code execution (RCE) flaw in Bing (CVE-2025-21355). However, there are no reports yet of this vulnerability being exploited in active attacks.
Security experts recommend that Power Pages administrators conduct additional security checks, even if they have not received notifications from Microsoft. It is crucial to monitor for anomalous account activity, unauthorized role or access changes, and immediately disable any suspicious accounts. As an added layer of protection, compromised credentials should be reset, and multi-factor authentication (MFA) should be enforced to strengthen security posture.
