Microsoft has confirmed active exploitation of a critical elevation-of-privilege vulnerability (CVE-2025-24989) in its Power Pages platform, a low-code tool organizations use to build business websites. Microsoft continues to urge customers to monitor official advisories and utilize the Power Platform Admin Center’s enhanced security dashboard for real-time risk management. The vulnerability, which allowed unauthorized attackers to bypass registration controls and escalate network privileges, underscores persistent security challenges in widely adopted cloud services. With Power Pages now integral to over 250 million monthly users’ operations, its security evolution will likely shape best practices for the entire low-code ecosystem. While Microsoft has not named impacted entities, the vulnerability’s discovery coincides with heightened scrutiny of Power Pages’ security posture. Security analysts warn that compromised Power Pages sites often serve as entry points for lateral movement into corporate networks. Microsoft employee Raj Kumar discovered that CVE-2025-24989 stemmed from improper access controls in Power Pages’ user registration system. Notably, this follows recent revelations about Power Pages misconfigurations exposing millions of records, including NHS employee data in 2024. In late 2024, misconfigured Power Pages implementations exposed over 7 million records across sectors like healthcare and finance, including 1.1 million NHS staff details. Microsoft’s incident response praised for transparency, reveals the delicate balance between usability and security in cloud services. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 20 Feb 2025 09:55:17 +0000