This post was originally published on Security Affairs. It can be found here.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Power Pages vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Power Pages vulnerability, tracked as CVE-2025-24989, to its Known Exploited Vulnerabilities (KEV) catalog.

CVE-2025-24989 (CVSS score: 8.2) is an improper access control flaw in Power Pages, an unauthorized attacker could exploit the flaw to elevate privileges over a network potentially bypassing the user registration control.

Raj Kumar with Microsoft reported the vulnerability. This week Microsoft addressed it and confirmed that this vulnerability is actively exploited in the wild.

“Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.” reads the advisory published by Microsoft.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 21, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, privilege escalation)

This post was originally published on this site