Microsoft responds to new Power Pages Elevation of Privileges Vulnerability
Microsoft reported a new critical vulnerability in Power Pages that can allow for improper access control by unauthorized attackers via registration control bypass.
The vulnerability, revealed on February 19, has been exploited but has now been mitigated in the service, Microsoft states. Affected customers have been notified, and the company has also provided instructions “on reviewing their sites for potential exploitation and clean up methods.”
In their report, Microsoft scored the vulnerability at 8.2 using the Common Vulnerability Scoring System (CVSS) model.
As a public-facing IT system, Power Pages is a perennial target of attackers. Recently, Microsoft had to respond to three other issues reported by security experts with patches to the cloud solution. Those critical vulnerabilities, as reported by Stratus Security on January 3, would allow for the unauthorized exposure of records.
The January vulnerabilities related to the Power Pages web API, explained Microsoft MVP Nicholas Hayduk, who spoke about them in January 2025’s Portals Community Call event (starting at about 9:30).
“The point of this is not to scare you away from using the web API, but it does highlight the important fact that whenever you open the Web API, [it] opens a pretty big door into your Dataverse instance,” he told the January call audience. “It's important that we're always being extra careful when we enable it.”
The next Portals Community Call event takes place February 27 at 3pm ET.
FREE Membership Required to View Full Content:
Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here