Microsoft fixes Power Pages security flaw, tells users to be on their guard

Microsoft warns of vulnerability being exploited in the wild

· TechRadar

News By Sead Fadilpašić published 21 February 2025

(Image credit: Shutterstock)

  • Microsoft recently found and patched a high-severity bug in Power Pages
  • The bug allowed malicious actors to log into target websites
  • The vulnerability was fixed, but Microsoft warns potential victims to be on guard

Microsoft has fixed a high-severity vulnerability in its Power Pages product, and has warned users to be on the lookout for signs of exploitation.

The company recently published details about CVE-2025-24989, an improper access control vulnerability in Power Pages, which allows unauthorized attackers to elevate privileges over a network, potentially bypassing the user registration control. In other words, unauthorized attackers could use the vulnerability to log into other people’s websites. It was given a severity score of 8.2/10 (high).

We don’t know who is behind the attack, or how many websites are affected. According to Microsoft, Power Pages has more than 250 million active website users on a monthly basis including Britain’s National Health Service.

Patched flaws

Microsoft Power Pages is a low-code platform for building secure, data-driven websites, enabling users to create and customize sites with drag-and-drop simplicity while integrating with other Microsoft services like Power Automate and Dataverse.

It is designed for businesses and organizations that need external-facing portals for customers, partners, or employees without requiring extensive coding expertise. It is a Software-as-a-Service (SaaS), meaning all patches and updates are done by Microsoft on its servers.

The company already deployed the patch, but that doesn’t mean the trouble is gone. Apparently, cybercriminals discovered the flaw before Microsoft did, and used it to access at least a few websites. It is impossible to know what they did with the access. They could redirect people to malicious websites, serve malvertising, steal data, and more.

The company warned some users to be careful and look for signs of exploitation.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors