The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical Microsoft Power Pages vulnerability to its Known Exploited Vulnerabilities catalog on February 23, 2025, sending ripples through the digital asset community as crypto platforms assess their exposure to enterprise web infrastructure flaws.
The Exploit Mechanics
CVE-2025-24989 carries a CVSS severity score of 8.2 out of 10, classifying it as a high-severity improper access control vulnerability. The flaw exists within Microsoft Power Pages, a low-code platform that organizations use to build external-facing websites. An unauthorized attacker can exploit this vulnerability to elevate privileges over a network, potentially bypassing user registration controls entirely.
The vulnerability was reported to Microsoft by security researcher Raj Kumar. Microsoft confirmed that the flaw is being actively exploited in the wild, meaning threat actors are already leveraging it against real-world targets. The company stated that affected customers have been given instructions for reviewing their sites and cleanup methods, while unaffected organizations were told the vulnerability does not impact them.
For cryptocurrency platforms, the concern is multi-layered. Many exchanges, wallet providers, and DeFi protocols use enterprise content management systems for their public-facing websites, documentation portals, and customer support platforms. A privilege escalation vulnerability in any of these systems could allow attackers to gain administrative access, inject malicious code, or intercept user credentials.
Affected Systems
Microsoft Power Pages is used across industries for building customer portals, partner ecosystems, and support documentation sites. In the crypto space, several institutional platforms and blockchain companies leverage Microsoft enterprise tools for their corporate infrastructure, including customer onboarding flows and KYC verification portals.
The vulnerability specifically targets the user registration control mechanism. Attackers who successfully exploit it can bypass authentication barriers and gain elevated access to system resources. In a crypto context, this could mean unauthorized access to user management panels, API key administration interfaces, or integration endpoints that connect web infrastructure to backend trading systems.
CISA has ordered federal agencies to remediate this vulnerability by March 21, 2025, under Binding Operational Directive 22-01. While this directive applies specifically to Federal Civilian Executive Branch agencies, the broader recommendation extends to all private organizations, including those operating in the cryptocurrency sector.
The Mitigation Strategy
Organizations running Microsoft Power Pages should immediately check whether they received a notification from Microsoft regarding this vulnerability. The company has stated that only notified customers are affected. For those who are affected, Microsoft has provided specific review and cleanup instructions.
Beyond the immediate patch, crypto platforms should conduct a broader audit of their web infrastructure. This includes reviewing all third-party services and enterprise platforms that handle user-facing content or authentication flows. Any system with access control mechanisms should be tested against privilege escalation attack vectors.
Security teams should also review logs for any anomalous administrative activity dating back to when the vulnerability was first potentially exploitable. Indicators of compromise include unexpected user account creation, privilege modifications, and changes to registration workflows.
Lessons Learned
This incident underscores a critical lesson for the crypto industry: security extends far beyond smart contracts and blockchain protocols. The web infrastructure that supports crypto platforms — from content management systems to customer portals — represents an equally important attack surface.
The fact that this vulnerability is being actively exploited makes rapid response essential. Organizations that delay patching enterprise web platforms expose themselves to supply chain-adjacent attacks where the entry point is not the blockchain itself but the infrastructure surrounding it.
With Bitcoin trading at approximately $96,274 and the total crypto market cap exceeding $3.3 trillion as of February 23, 2025, the financial stakes of any security breach are enormous. Even a peripheral vulnerability in web infrastructure can serve as the initial foothold for a much larger attack campaign.
User Action Required
If your organization uses Microsoft Power Pages, verify your exposure status immediately. Check for Microsoft security notifications and apply patches without delay. For crypto platform operators, integrate enterprise web application security into your regular penetration testing and vulnerability assessment schedules. Users should enable hardware-based two-factor authentication on all exchange accounts and monitor for any unusual login activity.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
cvss 8.2 and actively exploited in the wild. if any crypto exchange is running power pages for customer portals thats a huge target on their back right now
most CEXs use some form of low-code portal for onboarding and KYC. bet half of them dont even know theyre running power pages under the hood
scary part is how many exchanges built their KYC portals on sharepoint or power apps without realising they inherited this attack surface
chainwhisperer cvss 8.2 and actively exploited means someone is already inside systems running Power Pages. any CEX still unpatched after CISA KEV listing is basically negligent at this point
funny how its never the blockchain that gets hacked. its always the web2 infra wrapped around it
every major crypto hack traces back to web2 infrastructure. the blockchain itself has been remarkably solid, its the surrounding software that keeps failing
Raj Kumar deserves credit for reporting this before it became the next Bybit-scale disaster. Responsible disclosure actually works when people listen.
CISA adding it to the KEV catalog means federal agencies have a deadline to patch. private crypto exchanges have no such obligation, which is the real concern
segfault exactly. federal agencies have a KEV deadline but private exchanges running the same vulnerable software can just ignore it. the attack surface gap is insane
Power Pages running crypto onboarding portals with a CVSS 8.2 vuln actively exploited in the wild. if your exchange KYC runs on a low-code platform maybe rethink your stack