Microsoft Patches Major Power Pages Flaw That Could Expose Sensitive Data
Microsoft patched a high-severity Power Pages vulnerability actively exploited by cybercriminals.
Published: Feb 24, 2025
Key Takeaways:
- Microsoft patched a Power Pages vulnerability that allows attackers to access restricted data.
- This vulnerability is classified as high severity, with a CVSS score of 8.2.
- Customers are urged to check their websites for signs of exploitation.
Microsoft has patched a critical Power Pages vulnerability that was actively exploited by cybercriminals, potentially exposing sensitive data. The company is urging customers to inspect their websites for any signs of compromise and take immediate security measures.
Microsoft introduced Power Pages in 2022 and it’s a low-code platform that allows users to create, host, and manage secure business websites. It’s part of the Power Platform and is designed to be user-friendly, even for those with minimal coding experience. This service offers ready-made templates for various purposes, including registration, scheduling, and applications.
The high-severity vulnerability, tracked as CVE-2025-24989, is a critical improper access control flaw in Microsoft’s Power Pages service. It allows attackers to escalate privileges, bypass user registration controls, and gain unauthorized access to restricted data or modify sensitive files. First discovered by a Microsoft researcher, the flaw has been assigned a CVSS score of 8.2 out of 10.
Key recommendations for Power Pages users
Microsoft has discovered that cybercriminals are actively exploiting this security flaw. Fortunately, the company has already patched the vulnerability in the Power Pages service. Microsoft says that affected customers have been notified and given instructions on how to check their websites for signs of exploitation.
Furthermore, Microsoft recommends that customers should protect their Power Pages environment by requiring users to enable multi-factor authentication. They should also use the tools available in the Power Pages Admin Center to continuously monitor their website for any suspicious activity.
Last year, Microsoft discovered a misconfigured implementation of Power Pages that could expose confidential data. This data exposure bug left millions of records exposed to unauthorized access. The leaked data contained the email addresses, telephone numbers, and home addresses of the employees.