U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Power Pages vulnerability to its Known Exploited Vulnerabilities catalog.—————————————————————————————————————————————————–The U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](https://www.cisa.gov/news-events/alerts/2025/02/13/cisa-adds-one-known-exploited-vulnerability-catalog) a Microsoft Power Pages vulnerability, tracked as [CVE-2025-24989](https://www.cve.org/CVERecord?id=CVE-2025-24989), to its [Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).**[CVE-2025-24989](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989)** (CVSS score: 8.2) is an improper access control flaw in Power Pages, an unauthorized attacker could exploit the flaw to elevate privileges over a network potentially bypassing the user registration control.Raj Kumar with Microsoft reported the vulnerability. This week Microsoft [addressed](https://securityaffairs.com/174430/security/microsoft-fixed-actively-exploited-flaw-in-power-pages.html) it and confirmed that this vulnerability is actively exploited in the wild.*’Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you’ve not been notified this vulnerability does not affect you.’ reads the [advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989) published by Microsoft.*According to [Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](https://cyber.dhs.gov/bod/22-01/), FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.Experts also recommend private organizations review the [Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and address the vulnerabilities in their infrastructure.CISA orders federal agencies to fix this vulnerability by March 21, 2025.Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, privilege escalation)**
Related Tags:
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 92 – Public Administration
NAICS: 33 – Manufacturing – Metal
Electronics And Other
Blog: Security Affairs
TA0004 – Privilege Escalation
Exploitation for Client Execution
Associated Indicators: