Published Feb. 24, 2025
The high-severity privilege escalation flaw in Microsoft’s website-building application was disclosed and patched last week.
A zero-day vulnerability in Microsoft Power Pages has been exploited in the wild.
The vulnerability, listed as CVE-2025-24989, is an improper access control flaw that allows privilege escalation in Microsoft Power Pages, a low-code SaaS development platform for enterprise website-building. Microsoft disclosed and patched the high-severity vulnerability on Wednesday.
In a security advisory, Microsoft warned the flaw has been exploited in the wild. Additionally, the Cybersecurity and Infrastructure Security Agency added CVE-2025-24989 to its known exploited vulnerabilities catalog on Friday and gave federal agencies a March 14 deadline to apply mitigations.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an alert on CVE-2025-24989’s exploitation.
