A zero-day vulnerability in Microsoft Power Pages has been exploited in the wild.
The vulnerability, listed as CVE-2025-24989, is an improper access control flaw that allows privilege escalation in Microsoft Power Pages, a low-code SaaS development platform for enterprise website-building. Microsoft disclosed and patched the high-severity vulnerability on Wednesday.
In a security advisory, Microsoft warned the flaw has been exploited in the wild. Additionally, the Cybersecurity and Infrastructure Security Agency added CVE-2025-24989 to its known exploited vulnerabilities catalog on Friday and gave federal agencies a March 14 deadline to apply mitigations.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an alert on CVE-2025-24989’s exploitation.
The nature of the exploitation activity against the Power Pages vulnerability is unclear. CISA’s KEV catalog listing for CVE-2025-24989 said it’s “unknown” whether the flaw has been weaponized in ransomware attacks. Cybersecurity Dive contacted Microsoft for additional information on the exploitation activity.
“This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass,” Microsoft’s security advisory said. “Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.”
The advisory credited Microsoft employee Raj Kumar with the discovery of CVE-2025-24989.
In a blog post, SOCRadar said bypassing registration controls and elevating privileges in Power Pages could allow threat actors to gain unauthorized access to sensitive data. “Microsoft has already applied fixes at the service level and has privately notified affected customers. Still, admins should review activity logs, check for unauthorized privilege escalations, and enforce multifactor authentication for enhanced security,” SOCRadar said in the post.