Uncovered Vulnerability in Microsoft's Entra ID Grants Attackers Total Administrative Access
In a significant turn of events, a critical security vulnerability was discovered in Microsoft Entra ID on July 14, 2025. The vulnerability, designated as CVE-2025-55241, was reported by security researcher Dirk-Jan Mollema to the Microsoft Security Response Center.
The vulnerability allowed an attacker to exfiltrate sensitive information, such as user information, group memberships, tenant configuration, application data, device information, and BitLocker recovery keys, without leaving a trace. It also enabled an attacker to impersonate any user, including Global Administrators, in any other customer's tenant.
The vulnerability was a result of a combination of a legacy authentication mechanism and an API validation error. Actor Tokens, undocumented, internal-use tokens that Microsoft services use to communicate with each other on behalf of a user, and are not subject to standard security policies like Conditional Access, were one of the key components leveraged in the attack. The Azure AD Graph API, another component, had a critical oversight that failed to properly validate that an incoming Actor token originated from the same tenant it was trying to access.
Modifying objects in the victim's tenant would generate audit logs, but they would show the impersonated admin's user name with the display name of a Microsoft service, making it difficult to trace the attacker's identity. To execute the attack, an adversary needed a target's public tenant ID and a valid internal user identifier, which could be discovered by brute-force or by hopping across tenants that have guest user trusts.
An attacker, by impersonating a Global Admin, could gain unrestricted access to modify tenant settings, create or take over identities, and grant any permission. However, Microsoft's investigation found no evidence of the vulnerability being abused in the wild.
In response to the report, Microsoft deployed a global fix by July 17, 2025, and further mitigations were rolled out in August to prevent applications from requesting these types of Actor tokens for the Azure AD Graph API. The researcher also provided a Kusto Query Language (KQL) detection rule for organizations to hunt for any potential signs of compromise in their own environments.
This discovery underscores the importance of regular security audits and the vigilance required to protect sensitive information in today's digital landscape. With the quick response from Microsoft, the vulnerability has since been patched, ensuring the safety of its users.
Read also:
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Cyber aggression intensifies by China-backed TA415 group, targeting Taiwan's semiconductor production and supply networks
- Malicious applications with 38 million installs on Google Play have been removed; here's what you can do to ensure your device's security.
- Business Woes Unveiled: The Sticky Situation of PCI Compliance Revealed as a Valuable Ally for Your Enterprise
