How to fix CVE-2025-24989?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Is Power Pages affected by CVE-2025-24989?

Organizations using An improper access control vulnerability in Power Pages face notable risk from CVE-2025-24989, a improper access control vulnerability rated CVSS 8.2. Successful exploitation could significantly impact the confidentiality, integrity, or availability of affected systems.

CVE-2025-24989

HIGH

2025-02-19 [email protected]

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:27 vuln.today

Patch Released

Mar 28, 2026 - 18:27 nvd

Patch available

Added to CISA KEV

Oct 27, 2025 - 17:14 cisa

CISA KEV

CVE Published

Feb 19, 2025 - 23:15 nvd

HIGH 8.2

Description

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

Analysis

Microsoft Power Pages contains an improper access control vulnerability allowing unauthenticated attackers to elevate privileges and bypass user registration controls over the network.

Technical Context

The CWE-284 access control flaw in Power Pages' registration system allows attackers to bypass the intended user registration flow, creating accounts with elevated privileges beyond what the registration process should allow.

Affected Products

['Microsoft Power Pages']

Remediation

Microsoft has already mitigated this in the service. Review Power Pages user accounts for unauthorized registrations. Verify that registration controls are properly configured.

Priority Score

117

Low Medium High Critical

KEV: +50

EPSS: +25.7

CVSS: +41

POC: 0

CVE-2025-24989 vulnerability details – vuln.today

Back

CVE-2025-24989

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-24989

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code