The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently made a significant addition to its Known Exploited Vulnerabilities catalog by including a vulnerability in Microsoft Power Pages. This particular vulnerability, known as CVE-2025-24989, has been identified as an improper access control flaw with a CVSS score of 8.2. If exploited, unauthorized attackers could potentially elevate privileges over a network by circumventing user registration controls.
The discovery of this vulnerability was reported by Raj Kumar from Microsoft, who also confirmed that it is actively being exploited in the wild. In response to this threat, Microsoft has issued instructions to affected customers on how to identify possible exploitation on their sites and provided methods for cleanup. It is reassuring to note that if organizations have not received notifications about this vulnerability, their systems are not affected.
In accordance with the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal civilian executive branch (FCEB) agencies are required to address identified vulnerabilities within a specified timeframe to safeguard their networks against potential attacks. Furthermore, cybersecurity experts suggest that private organizations review the Known Exploited Vulnerabilities catalog and take necessary steps to address any vulnerabilities present in their infrastructure.
CISA has mandated that federal agencies must rectify this vulnerability by March 21, 2025, to ensure the security and integrity of their networks. This proactive approach aims to mitigate the risks associated with known vulnerabilities and protect critical infrastructure from malicious exploitation.
As the cybersecurity landscape continues to evolve, it is imperative for organizations to stay vigilant and proactive in safeguarding their systems against potential threats. By staying informed about the latest vulnerabilities and adhering to security advisories, businesses can enhance their cybersecurity posture and mitigate the risks of cyberattacks.
For more updates on cybersecurity news and developments, follow SecurityAffairs on Twitter, Facebook, and Mastodon. Stay informed and stay secure in the ever-changing world of cybersecurity.
Original Post URL: https://securityaffairs.com/174541/hacking/u-s-cisa-adds-microsoft-power-pages-flaw-known-exploited-vulnerabilities-catalog.html
Category & Tags: Breaking News, Hacking, Security, CISA, hacking news, information security news, IT Information Security, Known Exploited Vulnerabilities Catalog, Pierluigi Paganini, Security Affairs, Security News – Breaking News, Hacking, Security, CISA, hacking news, information security news, IT Information Security, Known Exploited Vulnerabilities Catalog, Pierluigi Paganini, Security Affairs, Security News
(Original article written by Pierluigi Paganini for SecurityAffairs – focusing on hacking and privilege escalation)