Don't think this is SaaS and you can relax: Redmond wants a few of you to check your websites

Microsoft has fixed a security flaw in its Power Pages website-building SaaS, after criminals got there first – and urged users to check their sites for signs of exploitation.

Power Pages is part of Microsoft's low-code Power Platform suite and offers tools to create, host, and update business websites.

The newly patched flaw, CVE-2025-24989, technically speaking allows attackers to elevate privileges over a network, potentially bypassing the user registration control. In plainer English: Unauthorized miscreants could use the hole to log into sites using accounts they shouldn't have.

Power Pages is software-as-a-service, so Microsoft has closed the vulnerability at its end. The software giant has nonetheless sent affected customers instructions on how to review their sites for signs of potential exploitation, and procedures to clean up if needed.

The good news is that this problem doesn’t impact all Power Pages users. “If you've not been notified, this ...