What is Microsoft Power Pages?
Microsoft Power Pages is a low-code SaaS platform (part of the Microsoft Power Platform) that enables organizations to build external-facing business websites and portals — supplier portals, customer self-service portals, case management sites, and partner portals — connected to Microsoft Dataverse (business data). Power Pages sites handle user registration, authentication, role assignment, and data access. They are commonly used by government agencies, enterprises, and healthcare organizations to expose business data and workflows to external users.
Because Power Pages portals directly expose business data from Dataverse to external users, unauthorized access or privilege escalation in a Power Pages site can lead to data breaches of sensitive organizational information — contracts, customer records, supplier data, HR data, and more.
Overview
CVE-2025-24989 is an improper access control vulnerability (CWE-284) in Microsoft Power Pages that allows an unauthenticated remote attacker to bypass the user registration control and elevate their privileges within a Power Pages portal. Microsoft patched the vulnerability via a service-side update on February 19, 2025, and disclosed that active exploitation had already occurred, directly notifying affected customers. CISA added the vulnerability to the KEV catalog two days later.
Affected Versions
| Product | Status |
|---|---|
| Microsoft Power Pages (SaaS) | Patched via service update February 19, 2025 |
| Customer-hosted Power Pages | No action required — patch applied by Microsoft |
Power Pages is a fully managed SaaS platform — Microsoft applied the patch server-side. Most organizations did not need to take action to receive the fix. However, Microsoft's required action advisory directs organizations to verify remediation status and review affected portals for signs of compromise.
Technical Details
The improper access control (CWE-284) exists in the Power Pages user registration and privilege assignment flow. An unauthenticated attacker can interact with the user registration endpoint in a way that bypasses the registration controls — potentially creating unauthorized accounts or assigning elevated roles to a newly registered account without going through the intended approval process.
The High integrity impact (I:H) and Low confidentiality impact (C:L) in the CVSS score reflect that the attacker can modify Power Pages portal data (through elevated access) and gain some read access to portal-exposed data, but full Dataverse data exfiltration depends on what data the portal exposes.
Key characteristics:
- Fully network-reachable (AV:N) — exploitable from the internet
- No credentials required (PR:N) — unauthenticated access
- No user interaction required (UI:N) — automated exploitation possible
- Cloud service — Microsoft patched server-side without customer action required
Discovery
Microsoft Threat Intelligence identified active exploitation in the wild and published simultaneous with the service-side patch on February 19, 2025.
Exploitation Context
Microsoft confirmed exploitation in the wild and directly notified affected Power Pages organizations with specific indicators of compromise to check. The exploitation likely targeted organizations that used Power Pages portals to expose sensitive business data to external partners or customers. The unauthenticated access and privilege escalation capability would allow attackers to enumerate portal data, create persistent unauthorized accounts, and potentially access Dataverse data that was exposed through the portal.
Power Pages portals for government agencies and regulated industries (healthcare, finance) represent high-value targets given the sensitivity of the data often exposed through these portals.
Remediation
- Verify service patch status — Microsoft applied the server-side patch on February 19, 2025. Confirm your Power Pages environments are running the patched version via the Power Platform admin center.
- Review Power Pages audit logs for unauthorized user registrations or unexpected role assignments between January and February 19, 2025.
- Check for unauthorized accounts in your Power Pages site user list — look for accounts created without corresponding business registration activity or approval workflow records.
- Review Dataverse data access logs for anomalous data reads from Power Pages portal sessions during the exposure window.
- Restrict Power Pages registration: if your portal does not require public self-registration, disable open registration and require invitation-based or administrator-approved registration.
- Notify potentially affected users: if sensitive data was exposed, follow applicable breach notification obligations.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-24989 |
| Vendor / Product | Microsoft — Power Pages |
| NVD Published | 2025-02-19 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 8.2 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
| Severity | HIGH |
| CWE | CWE-284 find similar ↗ |
| CISA KEV Added | 2025-02-21 |
| CISA KEV Deadline | 2025-03-14 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-02-19 | Microsoft patches via Power Pages service update; CVE published |
| 2025-02-21 | CISA adds to KEV; Microsoft discloses active exploitation and notifies affected customers |
| 2025-03-14 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2025-24989 | Vendor Advisory |
| NVD — CVE-2025-24989 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Power Pages Flaw Exploited in the Wild | News |