On February 19, 2025, Microsoft disclosed CVE-2025-24989, an improper access control vulnerability in Microsoft Power Pages that allowed unauthorized attackers to elevate privileges over a network. The vulnerability was actively exploited before the patch was deployed, and Microsoft directly notified affected customers with remediation guidance.
Power Pages is Microsoft's low-code platform for building external-facing business websites. It is part of the Microsoft Power Platform ecosystem alongside Power Apps, Power Automate, and Power BI. The platform is widely used by organizations to build customer portals, partner sites, and self-service applications without traditional software development.
What Made This Different
Unlike most vulnerabilities discussed in security blogs, CVE-2025-24989 affected a cloud-hosted platform, not on-premises software. Microsoft patched the vulnerability on their end, meaning customers did not need to apply a traditional software update. However, Microsoft warned that some affected environments may have already been compromised and required additional remediation steps.
The vulnerability was an improper access control issue that allowed an attacker to bypass registration controls on a Power Pages site. Specifically, the flaw enabled:
- Bypassing email-based registration controls, allowing an attacker to register on a Power Pages site that should have restricted who could create accounts.
- Privilege escalation within the site, allowing the attacker to gain higher-level roles than their account should have been assigned.
This combination meant an attacker could register on a restricted Power Pages site and then elevate their access to administrative or other high-privilege roles, gaining access to sensitive data and functionality.
The Low-Code Security Gap
CVE-2025-24989 highlighted a growing concern in the industry: the security implications of low-code and no-code platforms. These platforms democratize application development, allowing business users to build and deploy web applications without deep technical expertise. But they also introduce security risks that traditional application security programs are not equipped to handle.
Common security challenges with low-code platforms include:
Misconfigured access controls. Low-code platforms abstract away the complexity of authentication and authorization. This is convenient for builders, but it means security-critical configurations are often set through point-and-click interfaces by people who may not fully understand the implications of their choices.
Limited security visibility. Traditional application security tools (SAST, DAST, SCA) are designed to analyze source code and HTTP endpoints. Low-code applications may not have source code in the traditional sense, and their behavior is defined through platform configurations rather than code.
Shared responsibility confusion. With cloud-hosted low-code platforms, the line between what the platform vendor secures and what the customer is responsible for is not always clear. CVE-2025-24989 was a platform-level vulnerability that Microsoft patched, but the post-compromise cleanup was the customer's responsibility.
Rapid deployment without security review. The entire point of low-code platforms is to enable fast development and deployment. This speed often bypasses the security review gates that traditional software development processes enforce.
The Power Platform Attack Surface
Microsoft Power Pages is not the only component of the Power Platform that has attracted security scrutiny. In recent years, researchers have identified various security concerns:
- Dataverse permission issues where improperly configured table permissions exposed sensitive data to unauthenticated users.
- Power Automate flow manipulation where attackers with limited access could modify automated workflows to escalate privileges or exfiltrate data.
- Power Apps data exposure where applications inadvertently made backend data accessible through their APIs.
These are not all "vulnerabilities" in the traditional CVE sense. Many are configuration issues that arise from the gap between the platform's capabilities and the security awareness of the people configuring it. But the impact is the same: unauthorized access to sensitive data.
Microsoft has invested in improving Power Platform security, including adding security features like data loss prevention (DLP) policies, environment-level security groups, and enhanced audit logging. But these features only work when they are properly configured, and many organizations adopt Power Platform without involving their security team.
Remediation
Microsoft's remediation guidance for CVE-2025-24989 included:
- Review site user accounts for any unauthorized registrations, particularly accounts created around the time of the exploitation window.
- Audit role assignments for unexpected privilege escalations. Look for accounts with administrative or custom high-privilege roles that should not have them.
- Review audit logs for suspicious activity, including data access patterns that do not match normal usage.
- Regenerate secrets if the affected Power Pages site stored or processed sensitive credentials.
Because the patch was applied server-side by Microsoft, no customer action was needed for the fix itself. The critical customer action was the post-compromise investigation.
Broader Implications
CVE-2025-24989 is a signal that security teams need to extend their vulnerability management programs to cover cloud-hosted platforms, not just on-premises software and traditional SaaS applications.
Key takeaways:
Inventory your low-code deployments. Many organizations do not have a complete picture of which Power Platform environments exist, what data they access, or who administers them. Shadow IT is a real concern with low-code platforms because their whole value proposition is enabling non-IT personnel to build applications.
Apply security baselines. Microsoft publishes security guidance for Power Platform. Implement it consistently across all environments, not just the ones the security team knows about.
Monitor for anomalous registrations and role changes. These are the primary indicators of exploitation for vulnerabilities like CVE-2025-24989.
Include cloud platforms in your security reviews. Just because you are not running the infrastructure does not mean you are not responsible for the security of the applications and data hosted on it.
How Safeguard.sh Helps
Safeguard.sh extends supply chain visibility to include the platforms and services your organization relies on, not just the code you build. By tracking your technology inventory -- including cloud services like Microsoft Power Platform -- Safeguard can alert you when vulnerabilities are disclosed in the platforms underpinning your business operations.
Safeguard's continuous monitoring and policy gate capabilities help you enforce security baselines across your deployment, ensuring that low-code platforms receive the same security scrutiny as custom-built software. When Microsoft discloses a Power Platform vulnerability, Safeguard helps you assess your exposure and track your response, closing the gap between vendor notification and organizational action.