Microsoft has addressed a important safety vulnerability in Azure Entra ID, tracked as CVE-2025-55241, that was initially described as a low-impact privilege escalation bug. Safety analysis later revealed the flaw was much more extreme, permitting attackers to impersonate any consumer, together with International Directors.
The vulnerability was initially recognized by cybersecurity researcher Dirk-Jan Mollema whereas getting ready for Black Hat and DEF CON shows earlier this 12 months. His findings confirmed that undocumented “Actor tokens,” mixed with a validation failure within the legacy Azure AD Graph API, may very well be abused to impersonate any consumer in any Entra ID tenant, even a International Administrator.
This meant a token generated in a single lab tenant may grant administrative management over others, with no alerts or logs if solely studying knowledge, and restricted traces if modifications have been made.
The design of Actor tokens, as per Mollema, made the issue even worse. These tokens are issued for backend service-to-service communication and bypass regular safety protections like Conditional Entry. As soon as obtained, they allowed impersonation of different identities for twenty-four hours, throughout which no revocation was attainable.
Microsoft functions may generate them with impersonation rights, however non-Microsoft apps can be denied that privilege. As a result of the Azure AD Graph API lacked logging, directors wouldn’t see when attackers accessed consumer knowledge, teams, roles, tenant settings, service principals, BitLocker keys, insurance policies, and many others.
In his detailed technical weblog publish, Mollema demonstrated that impersonation labored throughout tenants as a result of the Azure AD Graph API didn’t validate the token’s originating tenant. By altering the tenant ID and concentrating on a recognized consumer identifier (netId), he may transfer from his personal tenant into another.
With a sound netId of a International Admin, the door opened to full takeover of Microsoft 365, Azure subscriptions, and linked companies. Worse, netIds may very well be brute compelled rapidly, or in some circumstances, retrieved from visitor account attributes in cross-tenant collaborations.
Microsoft rolled out a worldwide repair on July 17, simply three days after the preliminary report and later added additional mitigations that block functions from requesting Actor tokens for the Azure AD Graph. The corporate stated no proof of exploitation was present in its inside telemetry. On September 4, the vulnerability was formally catalogued as CVE-2025-55241.
Safety professionals, nevertheless, say the difficulty exposes broader issues about belief in cloud id methods. Anders Askasan, Director of Product at Radiant Logic, argued that “This incident exhibits how undocumented id options can quietly bypass Zero Belief.”
“Actor tokens created a shadow backdoor with no insurance policies, no logs, no visibility, undermining the very basis of belief within the cloud. The takeaway is evident: vendor patching after the actual fact merely isn’t sufficient,” he added.
“To cut back systemic threat, enterprises want unbiased observability throughout their total id material, repeatedly correlating accounts, entitlements, and insurance policies,“ he suggested. “Organisations want a trusted, vendor-agnostic view of their id knowledge and controls, to allow them to validate in actual time and act earlier than an adversarial incursion escalates right into a breach that’s virtually unattainable to unwind.”
