The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains to improper access control in Power Pages and enables an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
Microsoft has already fixed this vulnerability in the service and all affected customers have been notified.
“Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you,” – Microsoft,
Among other things, administrators are advised to review logs for suspicious activities, user registrations, or unauthorized changes. Since CVE-2025-24989 is a privilege escalation vulnerability, user lists should be carefully reviewed, with special attention paid to administrators and high-privileged users.
Microsoft didn’t provide any details about vulnerability exploitation mechanisms used in the attacks, but since Power Pages is a cloud service, it’s clear that these attacks were delivered remotely.
In addition, Microsoft fixed this week an RCE vulnerability in Bing tracked as CVE-2025-21355 (CVSS score 8.6). No reports of attacks exploiting this bug were released.