Issue could have allowed unauthorised attackers to bypass user registration controls and escalate their privileges.
A Microsoft elevation of privilege vulnerability affecting Power Pages has been patched.
According to Windows Forum, this issue stemmed from an improper access control flaw which, if left unaddressed, could have allowed unauthorised attackers to bypass user registration controls and escalate their privileges over a network.
Tracked as CVE-2025-24989, it was described as being akin to a nightclub bouncer “allowing some guests to gain access without proper clearance.”
Ben McCarthy, lead cyber security engineer at Immersive, explains that Microsoft Power Pages is a software-as-a-service platform created to help individuals and organisations create and host websites with the backing of Microsoft’s security and monitoring.
“These vulnerabilities occur in SaaS platforms when attackers can find pathways through the platform's logic that have not been fully tested by the SaaS platform owners,” he said. “Often done by chaining APIs together or using the platform functionality in an unexpected order, attackers can bypass certain protections put in place if users follow the usual steps taken on the platform.
“However, having the level of monitoring that Microsoft can supply these platforms created through Power Pages, they quickly found the vulnerability and have mitigated it. This means this vulnerability is no longer present in Power Pages websites, and for the organisations and individuals that have been affected by the vulnerability, Microsoft has notified and worked with them to properly contain and deal with the intrusion.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
