Cyber Resilience

CVE-2025-24989

HighCISA KEVActive ExploitationEUVD Exploited

Published: 19 February 2025

Published
19 February 2025
Modified
27 October 2025
KEV Added
21 February 2025
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.3162 96.9th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24989 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Power Pages. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

An improper access control vulnerability tracked as CVE-2025-24989 affects Microsoft Power Pages and stems from CWE-284. The flaw permits an unauthenticated network attacker to bypass the user registration control, resulting in privilege elevation with a CVSS 3.1 score of 8.2 reflecting network attack vector, low complexity, and impacts on confidentiality and integrity.

An unauthenticated remote attacker can exploit the issue without user interaction to gain elevated privileges and circumvent registration restrictions on affected Power Pages sites. Successful exploitation allows the attacker to access or modify resources that should have been protected by the registration control.

Microsoft has already mitigated the vulnerability in the service and notified all impacted customers, providing specific instructions for reviewing sites for signs of exploitation and performing cleanup. Customers who did not receive notification are unaffected; the update directly addressed the registration control bypass.

The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming real-world exploitation activity. Its EPSS score has reached 0.3162 without a documented rise from a lower baseline.

EU & UK References

Vulnerability details

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified.…

more

This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

CWE(s)
KEV Date Added
21 February 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a remote unauthenticated improper access control flaw in the public-facing Microsoft Power Pages web service that directly enables bypassing registration controls to achieve privilege escalation, mapping to T1190 (Exploit Public-Facing Application) for initial remote access and T1068 (Exploitation for Privilege Escalation) for the resulting elevated privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59230Same vendor: Microsoftboth on KEV
CVE-2025-53763Same vendor: Microsoft
CVE-2025-59273Same vendor: Microsoft
CVE-2026-24300Same vendor: Microsoft
CVE-2026-24306Same vendor: Microsoft
CVE-2025-55244Same vendor: Microsoft
CVE-2026-24304Same vendor: Microsoft
CVE-2026-23652Same product: Microsoft Power Pages
CVE-2025-21380Same vendor: Microsoft
CVE-2025-59287Same vendor: Microsoftboth on KEV

Affected Assets

microsoft
power pages
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations to prevent unauthorized privilege escalation via improper access control in Power Pages.

prevent

Applies least privilege to restrict unauthorized attackers from elevating privileges beyond registration bypass.

prevent

Manages accounts to ensure proper user registration and prevent creation of unauthorized elevated accounts.

References