The energy of accountable disclosure is that it might resolve issues earlier than they’re actioned. The weak point is that it doubtlessly generates a false sense of safety within the vendor.
On September 4, Microsoft utilized CVE-2025-55241 to an Azure Entra elevation of privilege vulnerability, noting “The vulnerability documented by this CVE requires no buyer motion to resolve.” Easy drawback, responsibly disclosed, shortly solved, and nothing to fret about.
But it surely disguises a far higher menace. A number of months earlier, Dirk-jan Mollema had found a vulnerability that would have allowed him to compromise any Entra ID tenant on the earth, exterior maybe of nationwide cloud deployments, with out leaving any hint of an incursion. Had that vulnerability been found by an adversarial nation-state, the hurt carried out – globally – may have been immense.
Mollema mixed the existence of undocumented impersonation tokens (referred to as Actor tokens) utilized by Microsoft in backend service-to-service communications with a validation flaw in Azure AD Graph API. Collectively, they allowed undocumented tokens for use for cross-tenant entry.
These Actor tokens weren’t topic to safety insurance policies. Attackers efficiently requesting an Actor token inside their very own tenant may, explains Mollema in a weblog submit, “authenticate as any consumer, together with World Admins, in another tenant.”
As soon as created, an Actor token may impersonate anybody towards the goal service it was requested for, for twenty-four hours. “In my private opinion,” he writes, “this complete Actor token design is one thing that by no means ought to have existed. It lacks virtually each safety management that you’d need.”
Requesting the Actor token was not logged. There was no file of their existence. The Azure AD Graph API had no API degree logging. So, an invisible attacker transferring right into a goal tenant may entry Entra ID information for consumer data, together with all private particulars, group and function data, the tenant’s conditional entry insurance policies, any software permission project, and gadget data and BitLocker keys synced to Entra ID.
“If a World Admin was impersonated, it might even be attainable to change any of the above objects and settings. This is able to end in full tenant compromise with entry to any service that makes use of Entra ID for authentication…” says Mollema.Commercial. Scroll to proceed studying.
Merely accessing the information would depart no logs. A World Admin impersonation may additionally modify objects, together with inside Microsoft 365 which might be logged, however the logs would point out modifications carried out by a official World Admin and never essentially produce a purple flag for the defenders.
Mollema instantly reported his findings to the Microsoft Safety Response Heart (MSRC) on July 14, 2025. MSRC opened a case on the identical day. On July 15, 2025, he reported extra particulars on the affect – and MSRC requested him to cease additional investigation of the vulnerability. On July 23, MSRC confirmed the problem had been solved. By August 6, MSRC pushed out additional mitigations stopping Actor tokens being issued for the Azure AD Graph with SP credentials.
And on September 4, 2025, Microsoft issued CVE-2025-55241, together with that line: “The vulnerability documented by this CVE requires no buyer motion to resolve.” This can be true. And Mollema needs to be lauded for his accountable disclosure, and Microsoft recommended for its fast response.
Each Mollema and Microsoft have stated they discovered no proof that the vulnerability has been utilized by any attacker, so you possibly can say all’s properly that ends properly. However the entire course of suppresses an uncomfortable actuality: cybersecurity is fly by wire. The worldwide cybersecurity ecosphere relies upon upon the work of researchers and distributors carried out behind our again. We frequently don’t know what they’ve discovered and solved, however equally, we don’t know what they’ve missed.
“This incident is a reminder that even the largest suppliers are usually not immune from flaws, and that long-term, undetectable dangers demand a proactive technique that goes past conventional safety instruments,” feedback Rob Demain, CEO of e2e-assure. His suggestion is that hybrid or multi-cloud approaches may alleviate related threats. “By holding some workloads on-premises and distributing others throughout a number of cloud suppliers, organizations can scale back dependency on a single vendor and considerably decrease systemic threat.”
Associated: Organizations Warned of Vulnerability in Microsoft Change Hybrid Deployment
Associated: TeamFiltration Abused in Entra ID Account Takeover Marketing campaign
Associated: Ransomware Group Exploits Hybrid Cloud Gaps, Positive aspects Full Azure Management in Enterprise Assaults
