Microsoft has confirmed active exploitation of a critical elevation-of-privilege vulnerability (CVE-2025-24989) in its Power Pages platform, a low-code tool organizations use to build business websites.
The vulnerability, which allowed unauthorized attackers to bypass registration controls and escalate network privileges, underscores persistent security challenges in widely adopted cloud services.
Microsoft employee Raj Kumar discovered that CVE-2025-24989 stemmed from improper access controls in Power Pages’ user registration system.
.png
)
Attackers could exploit this flaw to gain unauthorized administrative privileges, potentially accessing sensitive data or compromising connected systems. The vulnerability earned a CVSS score of 8.2, reflecting its high risk to organizations.
While the company has not disclosed specific attack details, the “Exploitation Detected” label confirms at least one real-world incident. Notably, this follows recent revelations about Power Pages misconfigurations exposing millions of records, including NHS employee data in 2024.
Microsoft’s Response and Mitigation
Within hours of detection, Microsoft deployed fixes across its cloud infrastructure. Affected customers received tailored guidance to:
- Audit site configurations for exploitation traces
- Remove unauthorized privilege assignments
- Reinforce access controls using updated security features
Microsoft emphasized that only notified organizations required action, as mitigations were automatically applied to vulnerable instances7.
While Microsoft has not named impacted entities, the vulnerability’s discovery coincides with heightened scrutiny of Power Pages’ security posture.
In late 2024, misconfigured Power Pages implementations exposed over 7 million records across sectors like healthcare and finance, including 1.1 million NHS staff details.
CVE-2025-24989’s exploitation scope remains unclear, but its privilege escalation potential could have enabled similar large-scale breaches.
Security analysts warn that compromised Power Pages sites often serve as entry points for lateral movement into corporate networks. Aaron Costello of AppOmni notes, “These platforms’ customizability frequently outpaces organizations’ ability to secure them, creating invisible risk surfaces.”
For Power Pages administrators, Microsoft and cybersecurity experts advise:
- Immediate validation of user role assignments and registration workflows
- Activation of Entra Privileged Identity Management to enforce just-in-time access for high-privilege roles.
- Leverage renewed security features like authentication key monitoring and SSL certificate alerts in the Power Platform Admin Center.
- Continuous auditing using Microsoft’s CoE Starter Kit to detect residual vulnerabilities.
As Copilot integration expands, organizations must also reassess data exposure risks through AI-enhanced search capabilities.
CVE-2025-24989 highlights systemic challenges in securing low-code platforms designed for rapid deployment. Microsoft’s incident response praised for transparency, reveals the delicate balance between usability and security in cloud services. The company’s recent introduction of automated key renewal and SSL monitoring tools suggests growing recognition of these challenges.
- Improved default security configurations in low-code tools
- Enhanced training for citizen developers
- Tighter integration between DevOps and security teams6
. With Power Pages now integral to over 250 million monthly users’ operations, its security evolution will likely shape best practices for the entire low-code ecosystem.
Microsoft continues to urge customers to monitor official advisories and utilize the Power Platform Admin Center’s enhanced security dashboard for real-time risk management.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
