CVE-2025-24989
Published: 19 February 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24989 is an improper access control vulnerability (CWE-284) in Microsoft Power Pages that allows an unauthorized attacker to elevate privileges over a network by bypassing the user registration control. Published on 2025-02-19, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.
An unauthenticated attacker can exploit this vulnerability remotely to achieve privilege escalation, enabling unauthorized access and manipulation within affected Power Pages sites while bypassing standard registration controls. The impact primarily affects integrity (high) with some confidentiality exposure but no availability disruption.
Microsoft has already mitigated the vulnerability service-wide in Power Pages, notifying all affected customers with instructions to review their sites for potential exploitation and apply cleanup methods. According to advisories, customers not notified are unaffected. Additional details are available in the MSRC update guide and CISA's Known Exploited Vulnerabilities catalog.
Details
- CWE(s)
- KEV Date Added
- 21 February 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote unauthenticated improper access control flaw in the public-facing Microsoft Power Pages web service that directly enables bypassing registration controls to achieve privilege escalation, mapping to T1190 (Exploit Public-Facing Application) for initial remote access and T1068 (Exploitation for Privilege Escalation) for the resulting elevated privileges.