Skip to main content

Microsoft responds to new Power Pages Elevation of Privileges Vulnerability

by Jason Gumpert
Editor, MSDynamicsWorld.com
Power Pages icon

Microsoft reported a new critical vulnerability in Power Pages that can allow for improper access control by unauthorized attackers via registration control bypass. 

The vulnerability, revealed on February 19, has been exploited but has now been mitigated in the service, Microsoft states. Affected customers have been notified, and the company has also provided instructions “on reviewing their sites for potential exploitation and clean up methods.”

In their report, Microsoft scored the vulnerability at 8.2 using the Common Vulnerability Scoring System (CVSS) model.

As a public-facing IT system, Power Pages is a perennial target of attackers. Recently, Microsoft had to respond to three other issues reported by security experts with patches to the cloud solution. Those critical vulnerabilities, as reported by Stratus Security on January 3, would allow for the unauthorized exposure of records. 

The January vulnerabilities related to the Power Pages web API, explained Microsoft MVP Nicholas Hayduk, who spoke about them in January 2025’s Portals Community Call event (starting at about 9:30). 

“The point of this is not to scare you away from using the web API, but it does highlight the important fact that whenever you open the Web API, [it] opens a pretty big door into your Dataverse instance,” he told the January call audience. “It's important that we're always being extra careful when we enable it.”

The next Portals Community Call event takes place February 27 at 3pm ET.

FREE Membership Required to View Full Content:

Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here

About Jason Gumpert

As the editor of MSDynamicsWorld.com, Jason oversees all editorial content on the site and at our events, as well as providing site management and strategy. He can be reached at jgumpert@msdynamicsworld.com.

Prior to co-founding MSDynamicsWorld.com, Jason was a Principal Software Consultant at Parametric Technology Corporation (PTC), where he implemented solutions, trained customers, managed software development, and spent some time in the pre-sales engineering organization. He has also held consulting positions at CSC Consulting and Monitor Group.

More about Jason Gumpert