Microsoft has issued a security alert regarding a high-severity elevation of privilege vulnerability in Power Pages, which hackers exploited as a zero-day attack.

The flaw, identified as CVE-2025-24989, allowed unauthorized users to bypass registration controls and gain elevated access over a network.

Microsoft confirmed that it has mitigated the issue at the service level and directly notified affected customers with remediation instructions. “This vulnerability has already been mitigated in the service, and all affected customers have been notified,” Microsoft stated in its security bulletin. Organizations that did not receive a notification are not impacted.


Power Pages, a low-code SaaS platform under the Microsoft Power Platform, enables businesses to create secure external-facing websites. As a cloud-based service, the vulnerability was likely exploited remotely. However, Microsoft has not disclosed details on how attackers leveraged the flaw.

In addition to fixing this issue, Microsoft also addressed a Bing remote code execution vulnerability (CVE-2025-21355), though it has not been marked as exploited.

Security Recommendations

Even though Microsoft has applied the fix, administrators should take extra precautions:

  • Review activity logs for unauthorized changes or suspicious user registrations.
  • Audit user roles and privileges to ensure no unauthorized escalations have occurred.
  • Examine security controls and permissions for unusual modifications.
  • Revoke rogue accounts, reset affected credentials, and enforce multi-factor authentication (MFA).

If Microsoft did not notify your organization, it is unlikely that your system was affected. However, regular security audits remain crucial to prevent potential threats.

READ
U.K. Healthcare Provider HCRG Care Group Investigates Ransomware Attack