The company has not disclosed specific details regarding the attacks that exploited this vulnerability.

Power Pages enables users to create secure, data-driven websites with ease, integrating with other Microsoft services.

The vulnerability allowed unauthorized attackers to log into target websites by elevating privileges and potentially bypassing user registration controls.

Exploiting this vulnerability could enable cybercriminals to redirect users to malicious sites, serve malvertising, or steal sensitive data.

On February 18, 2025, Microsoft announced the patching of a critical vulnerability in its Power Pages platform, identified as CVE-2025-24989.

This announcement comes after reports of misconfigured implementations of Power Pages that previously exposed confidential data, raising security concerns.

Power Pages is a low-code platform with over 250 million active users monthly, including organizations like Britain’s National Health Service.

Customers do not need to manually install patches, but they are advised to check their instances for signs of compromise.

Despite the patch being deployed, Microsoft warns users to remain vigilant as cybercriminals might have exploited the flaw before its discovery.

The vulnerability was reported by a Microsoft employee, underscoring the importance of robust internal security practices.

This flaw was rated with a severity score of 8.2 out of 10, indicating a high risk level for users.

Microsoft confirmed that the vulnerability has been mitigated and affected customers have been notified with instructions on how to review their sites.