Source URL: https://www.theregister.com/2025/02/20/microsoft_patch_power_pages/
Source: The Register
Title: Oops, some of our customers’ Power Pages sites were exploited, says Microsoft
Feedly Summary: Don’t think this is SaaS and you can relax: Redmond wants a few of you to check your websites
Microsoft has fixed a security flaw in its Power Pages website-building SaaS, after criminals got there first – and urged users to check their sites for signs of exploitation.…
AI Summary and Description: Yes
Summary: Microsoft has addressed a significant security vulnerability in its Power Pages SaaS platform, identified as CVE-2025-24989, which allowed unauthorized users to log in without appropriate controls. Notably, this incident highlights the vulnerabilities inherent within software-as-a-service solutions and underscores the importance of timely security updates to safeguard users.
Detailed Description:
– Microsoft had a security flaw in its Power Pages platform, a part of its low-code Power Platform suite.
– The vulnerability, linked to privilege escalation over the network, allowed unauthorized users to compromise account access, potentially bypassing user registration controls.
– Microsoft announced that the flaw, rated 8.2 out of 10 on the CVSS scale, had already been exploited prior to the patch release.
– The software company provided guidelines to customers on verifying their sites for any exploitation signs and cleanup procedures if needed.
– The vulnerability is not universal and only affects users who received notifications from Microsoft.
– Microsoft has over 250 million monthly active users of Power Pages, including prominent organizations like the UK’s National Health Service, which previously suffered a data exposure incident attributed to misconfigured access controls.
– Alongside this, Microsoft addressed another high-severity issue within its search engine Bing, identified as CVE-2025-21355, with similar vulnerabilities and risks associated with unauthenticated code execution due to a lack of proper authentication mechanisms.
– Microsoft’s prompt response to vulnerabilities emphasizes the need for robust security practices and continuous monitoring, particularly for SaaS platforms that handle sensitive data.
* Key Points:
– Vigilance is essential for SaaS users to identify and mitigate risks associated with unpatched vulnerabilities.
– Continuous updates and patches from providers are critical for maintaining security posture.
– Organizations must ensure access controls and configurations are correctly managed to shield against misconfigurations that can lead to data exposure.
This situation reflects broader trends in cloud computing and software security, where continuous integration and rapid deployment can sometimes outpace security measures, making it paramount for users and providers alike to prioritize security and compliance.