Oops, some of our customers' Power Pages-hosted sites were exploited, says Microsoft
Don't think this is SaaS and you can relax: Redmond wants a few of you to check your websites
Microsoft has fixed a security flaw in its Power Pages website-building SaaS, after criminals got there first – and urged users to check their sites for signs of exploitation.
Power Pages is part of Microsoft's low-code Power Platform suite and offers tools to create, host, and update business websites.
The newly patched flaw, CVE-2025-24989, technically speaking allows attackers to elevate privileges over a network, potentially bypassing the user registration control. In plainer English: Unauthorized miscreants could use the hole to log into sites using accounts they shouldn't have.
Power Pages is software-as-a-service, so Microsoft has closed the vulnerability at its end. The software giant has nonetheless sent affected customers instructions on how to review their sites for signs of potential exploitation, and procedures to clean up if needed.
The good news is that this problem doesn’t impact all Power Pages users. “If you've not been notified, this vulnerability does not affect you,” states Microsoft’s advisory.
Microsoft staffer Raj Kumar spotted the flaw, which was rated 8.2 out of 10 on the CVSS scale. Redmond warned that attackers had already taken advantage of the flaw before it implemented the fix.
- Microsoft Power Pages misconfigurations exposing sensitive data
- February's Patch Tuesday sees Microsoft offer just 63 fixes
- One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers
- Windows Patch Tuesday hits snag with Citrix software, workarounds published
Power Pages was introduced in 2022, and Microsoft claims it has over 250 million monthly active website users. One of them is Britain's National Health Service, which last year exposed data describing over a million of its staff due to misconfigured access controls in websites it built with Power Pages.
Asked for further comment on this latest update, a Microsoft spokesperson told us simply: "We released a fix and customers are protected."
Meanwhile, the Windows giant has patched a high severity flaw in its search engine Bing. The CVSS 8.6-rated issue - CVE-2025-21355 - would, again technically speaking, let an unauthenticated attacker execute code over a network due to missing authentication for a critical function.
There's no evidence of active exploitation, but proof-of-concept code is already out there, according to Microsoft. Once again, the software giant has pushed out a patch to fix the issue, and no action is required from customers. ®