CVE-2025-24989 - Microsoft Power Pages Improper Access Control Vulnerability

Microsoft | Power Pages

• Date Added:
• 2025-02-21

• Due Date:
• 2025-03-14

Vulnerability Name

Microsoft Power Pages Improper Access Control Vulnerability

Description

Microsoft Power Pages contains an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-24989 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24989

Latest Security News

Google Chrome disables uBlock Origin for some in Manifest v3 rollout

SpyLend Android malware downloaded 100,000 times from Google Play

Hacker steals record $1.46 billion from Bybit ETH cold wallet

Apple Drops iCloud's Advanced Data Protection in the U.K. Amid Encryption Backdoor Demands

Data Leak Exposes TopSec's Role in China's Censorship-as-a-Service Operations

CISA flags Craft CMS code injection flaw as exploited in attacks

Apple pulls iCloud end-to-end encryption feature in the UK

Cybercriminals Can Now Clone Any Brand's Site in Minutes Using Darcula PhaaS v3

Common Alerts

MediumSession ID in URL Rewrite

MediumSource Code Disclosure - PHP

HighSpring4Shell

MediumHTTPS to HTTP Insecure Transition in Form Post

InformationalStorable and Cacheable Content

MediumCSP: Wildcard Directive

LowTimestamp Disclosure - Unix

InformationalCross Site Scripting (Persistent) - Spider

MediumCSP: Malformed Policy (Non-ASCII)

HighHeartbleed OpenSSL Vulnerability (Indicative)

Latest CVE List

CVE-2025-24989 Microsoft Power Pages Improper Access Control Vulnerability

CVE-2025-23209 Craft CMS Code Injection Vulnerability

CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability

CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability

CVE-2025-0108 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

CVE-2024-57727 SimpleHelp Path Traversal Vulnerability

CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability

CVE-2025-24200 Apple iOS and iPadOS Incorrect Authorization Vulnerability

CVE-2025-21391 Microsoft Windows Storage Link Following Vulnerability

CVE-2025-21418 Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability

Top CWE List

HighCWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CWE-693 Protection Mechanism Failure

CWE-201 Insertion of Sensitive Information Into Sent Data

CWE-581 Object Model Violation: Just One of Equals and Hashcode Defined

CWE-1426 Improper Validation of Generative AI Output

CWE-1021 Improper Restriction of Rendered UI Layers or Frames

HighCWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-284 Improper Access Control

MediumCWE-352 Cross-Site Request Forgery (CSRF)

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor