CVE-2025-24989

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989	Patch Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24989	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:microsoft:power_pages:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-02-19 23:15

Updated : 2025-10-27 17:14

NVD link : CVE-2025-24989

Mitre link : CVE-2025-24989

CVE.ORG link : CVE-2025-24989

JSON object : View

Products Affected

microsoft

power_pages

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2025-24989", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-02-19T23:15:15.167", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989", "tags": ["Patch", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24989", "tags": ["US Government Resource"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.\nThis vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inadecuado en Power Pages permite a un atacante no autorizado elevar privilegios en una red y posiblemente eludir el control de registro de usuarios. Esta vulnerabilidad ya se ha mitigado en el servicio y se ha notificado a todos los clientes afectados. Esta actualizaci\u00f3n solucion\u00f3 el problema de eludir el control de registro. Se han dado instrucciones a los clientes afectados para que revisen sus sitios en busca de posibles explotaciones y m\u00e9todos de depuraci\u00f3n. Si no ha recibido una notificaci\u00f3n, esta vulnerabilidad no le afecta."}], "lastModified": "2025-10-27T17:14:03.217", "cisaActionDue": "2025-03-14", "cisaExploitAdd": "2025-02-21", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power_pages:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB98CB24-C129-4D49-B051-426877991091"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Microsoft Power Pages Improper Access Control Vulnerability"}