Microsoft fixes a security vulnerability in Power Pages and warns users to exercise caution.

A high-severity vulnerability has been found and corrected in Microsoft Power Pages, which allowed malicious actors to access targeted websites. Although the security breach has been resolved, the company has issued a warning to users to remain vigilant for potential signs of exploitation.

Recently, details about the vulnerability, cataloged as CVE-2025-24989, were disclosed, relating to inappropriate access control in Power Pages. This flaw authorized unauthorized attackers to escalate privileges across a network, potentially allowing them to bypass user registration control. In simple terms, this meant that attackers could infiltrate other people’s websites. The vulnerability received a severity rating of 8.2 out of 10, classifying it as high.

So far, the identity of those responsible for the attack is unknown, as well as the number of sites that could have been compromised. It is estimated that Power Pages has over 250 million monthly active users, including institutions like the National Health Service of Great Britain.

Power Pages is a low-code platform designed for creating secure, data-driven websites, allowing users to easily build and customize sites while integrating with other Microsoft services like Power Automate and Dataverse. It focuses on businesses and organizations that require accessible portals for customers, partners, or employees, without needing extensive programming knowledge. As a Software as a Service (SaaS), all updates and patches are managed directly by Microsoft on their servers.

Although the company has already implemented the security improvement, this does not guarantee that all issues have been resolved. Reportedly, some cybercriminals may have exploited the vulnerability before Microsoft identified it, accessing at least an indeterminate number of websites. The potential uses of this access are not clearly known, but could include redirecting users to malicious sites, spreading misleading ads, or stealing data.

Microsoft has warned certain users to stay alert and look for signs of any possible exploitation. The company stated that "this vulnerability has been mitigated in the service and all affected customers have been notified." Additionally, instructions were provided to users to check their sites for potential exploitation and to carry out cleaning methods. If a user has not been notified, it means that the vulnerability does not affect them.