CVE-2025-24989
Published: 19 February 2025
Summary
CVE-2025-24989 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Power Pages. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
An improper access control vulnerability tracked as CVE-2025-24989 affects Microsoft Power Pages and stems from CWE-284. The flaw permits an unauthenticated network attacker to bypass the user registration control, resulting in privilege elevation with a CVSS 3.1 score of 8.2 reflecting network attack vector, low complexity, and impacts on confidentiality and integrity.
An unauthenticated remote attacker can exploit the issue without user interaction to gain elevated privileges and circumvent registration restrictions on affected Power Pages sites. Successful exploitation allows the attacker to access or modify resources that should have been protected by the registration control.
Microsoft has already mitigated the vulnerability in the service and notified all impacted customers, providing specific instructions for reviewing sites for signs of exploitation and performing cleanup. Customers who did not receive notification are unaffected; the update directly addressed the registration control bypass.
The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming real-world exploitation activity. Its EPSS score has reached 0.3162 without a documented rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4642
Vulnerability details
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified.…
more
This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.
- CWE(s)
- KEV Date Added
- 21 February 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated improper access control flaw in the public-facing Microsoft Power Pages web service that directly enables bypassing registration controls to achieve privilege escalation, mapping to T1190 (Exploit Public-Facing Application) for initial remote access and T1068 (Exploitation for Privilege Escalation) for the resulting elevated privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations to prevent unauthorized privilege escalation via improper access control in Power Pages.
Applies least privilege to restrict unauthorized attackers from elevating privileges beyond registration bypass.
Manages accounts to ensure proper user registration and prevent creation of unauthorized elevated accounts.