Microsoft has warned users about a high-severity privilege escalation vulnerability in Power Pages, its no-code, website-building platform. The vulnerability, CVE-2025-24989, has already been actively exploited as a zero-day attack.
Redmond’s security advisory ensures users that the “vulnerability has already been mitigated in the service and all affected customers have been notified.” Affected customers have also been instructed to review their respective sites for any signs of exploitation and mitigation measures in case there’s evidence of malicious activity.
Power Pages is a cloud-based service, so chances are exploitation happened remotely; regardless, the tech giant hasn’t shared technical details on how exactly the flaw was exploited. The attack also didn’t affect the entire service, as only a certain number of users have been notified.
If you’re a Power Page user and haven’t received any information from Microsoft, you weren’t affected.
Power Pages is part of the larger Power Platform, which includes other tools like Power Apps, Power Automate, and Power BI. There’s no mention of the breach affecting any of the other platforms. That said, Redmond has also patched a remote code execution vulnerability in Bing, tracked as CVE-2025-21355. At the time of writing, there’s no evidence of this bug being exploited in the wild.
While the service has been patched, readers are advised to review their site activity logs for signs of suspicious activities, unknown user registrations, or unauthorised changes. Additionally, since the bug is a privilege escalation flaw, all administrators or high-privilege users should be verified. Apart from Redmond’s clean-up instructions, general post-compromise security changes, such as revoking unauthorised access, updating passwords, and changing multi-factor authentication (MFA) codes, are also advised.
In the News: Private medical videos leaked and sold online, three arrested
