CVE-2025-24989
Published: 19 February 2025
Summary
CVE-2025-24989 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Power Pages. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations to prevent unauthorized privilege escalation via improper access control in Power Pages.
Applies least privilege to restrict unauthorized attackers from elevating privileges beyond registration bypass.
Manages accounts to ensure proper user registration and prevent creation of unauthorized elevated accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated improper access control flaw in the public-facing Microsoft Power Pages web service that directly enables bypassing registration controls to achieve privilege escalation, mapping to T1190 (Exploit Public-Facing Application) for initial remote access and T1068 (Exploitation for Privilege Escalation) for the resulting elevated privileges.
NVD Description
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified.…
more
This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.
Deeper analysisAI
CVE-2025-24989 is an improper access control vulnerability (CWE-284) in Microsoft Power Pages that allows an unauthorized attacker to elevate privileges over a network by bypassing the user registration control. Published on 2025-02-19, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.
An unauthenticated attacker can exploit this vulnerability remotely to achieve privilege escalation, enabling unauthorized access and manipulation within affected Power Pages sites while bypassing standard registration controls. The impact primarily affects integrity (high) with some confidentiality exposure but no availability disruption.
Microsoft has already mitigated the vulnerability service-wide in Power Pages, notifying all affected customers with instructions to review their sites for potential exploitation and apply cleanup methods. According to advisories, customers not notified are unaffected. Additional details are available in the MSRC update guide and CISA's Known Exploited Vulnerabilities catalog.
Details
- CWE(s)
- KEV Date Added
- 21 February 2025