A vital vulnerability in Microsoft’s Entra ID may have allowed an attacker to achieve full administrative management over any tenant in Microsoft’s world cloud infrastructure.
The flaw, now patched, was found in July 2025 and has been assigned CVE-2025-55241.
The vulnerability, described by the researcher as probably the most impactful he’ll in all probability ever discover, resided in a mixture of a legacy authentication mechanism and an API validation error.
In keeping with Dirk-jan Mollema’s detailed write-up, the problem allowed an attacker to make use of a particular kind of token from their very own tenant to impersonate any person, together with World Directors, in every other buyer’s tenant.
Microsoft’s Entra ID Vulnerability
The assault leveraged two key elements:
Actor Tokens: Undocumented, internal-use tokens that Microsoft companies use to speak with one another on behalf of a person. These highly effective tokens usually are not topic to straightforward safety insurance policies like Conditional Entry.
Azure AD Graph API Flaw: A vital oversight within the older Azure AD Graph API didn’t correctly validate that an incoming Actor token originated from the identical tenant it was making an attempt to entry.
This validation failure meant a token requested in an attacker’s lab setting may very well be used to focus on and entry a special group’s tenant.
An attacker may impersonate a World Admin and achieve unrestricted entry to switch tenant settings, create or take over identities, and grant any permission.
This management would lengthen to all linked Microsoft 365 companies, reminiscent of Alternate On-line and SharePoint On-line, in addition to any sources hosted in Azure.
The character of the vulnerability made it exceptionally harmful because of its stealth. Requesting and utilizing the malicious tokens generated no logs within the sufferer’s tenant, that means an attacker may have exfiltrated delicate info with out leaving a hint. This consists of:
Consumer info and private particulars
Group memberships and administrative roles
Tenant configuration and safety insurance policies
Software and Service Principal information
Machine info and BitLocker restoration keys
Whereas studying information was traceless, modifying objects (like including a brand new admin) would generate audit logs. Nevertheless, these logs would confusingly present the impersonated admin’s person title however with the show title of a Microsoft service like “Workplace 365 Alternate On-line,” which may very well be simply ignored with out particular information of the assault, Dirk-jan Mollema mentioned.
To execute the assault, an adversary would solely want a goal’s public tenant ID and a sound inner person identifier (netId). The researcher famous that these netIds may very well be found by brute-force or, extra alarmingly, by “hopping” throughout tenants which have visitor person (B2B) trusts, doubtlessly permitting for an exponential unfold of compromise throughout the cloud ecosystem.
The researcher reported the vulnerability to the Microsoft Safety Response Heart (MSRC) on July 14, 2025, the identical day it was found. Microsoft acknowledged the severity and deployed a world repair by July 17, 2025.
Additional mitigations have been rolled out in August to forestall purposes from requesting these kinds of Actor tokens for the Azure AD Graph API.
In keeping with Microsoft’s investigation of its inner telemetry, no proof of this vulnerability being abused within the wild was discovered. The researcher has offered a Kusto Question Language (KQL) detection rule for organizations to hunt for any potential indicators of compromise in their very own environments.
Discover this Story Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates.
