1.0 Introduction
Recently, Microsoft has identified a critical security vulnerability called Elevation of Privilege (EoP)
(CVE-2025-24989)
in Microsoft Power Pages that has been actively exploited in the wild.
2.0 Impact
This vulnerability stems from improper access control
(CWE-284),
potentially enabling attackers to bypass user registration controls and gain unauthorized access to sensitive systems or data.
3.0 Affected Products
- Microsoft Power Pages
4.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to follow the steps below to mitigate potential risks and enhance security:
- Ensure Microsoft Power Pages environment is updated to the latest version that includes the official fix for this vulnerability.
- Conduct a thorough review of user registration controls and access permissions within your Power Pages sites to ensure no unauthorized changes have been made.
- Investigate logs and user activity for signs of potential exploitation, such as unexpected privilege escalations or unauthorized access attempts
CyberSecurity Malaysia also encourages users and administrators to review Microsoft Security Update Guide for more information and apply the necessary updates.
Kindly refer to the following URL:
Generally, CyberSecurity Malaysia advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact us through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web:
https://www.mycert.org.my
5.0 References