A critical vulnerability in Microsoft’s Entra ID could have allowed an attacker to gain complete administrative control over any tenant in Microsoft’s global cloud infrastructure.
The flaw, now patched, was discovered in July 2025 and has been assigned CVE-2025-55241.
The vulnerability, described by the researcher as the most impactful he will probably ever find, resided in a combination of a legacy authentication mechanism and an API validation error.
According to Dirk-jan Mollema’s detailed write-up, the issue allowed an attacker to use a special type of token from their own tenant to impersonate any user, including Global Administrators, in any other customer’s tenant.
Microsoft’s Entra ID Vulnerability
The attack leveraged two key components:
- Actor Tokens: Undocumented, internal-use tokens that Microsoft services use to communicate with each other on behalf of a user. These powerful tokens are not subject to standard security policies like Conditional Access.
- Azure AD Graph API Flaw: A critical oversight in the older Azure AD Graph API failed to properly validate that an incoming Actor token originated from the same tenant it was trying to access.
This validation failure meant a token requested in an attacker’s lab environment could be used to target and access a different organization’s tenant.
An attacker could impersonate a Global Admin and gain unrestricted access to modify tenant settings, create or take over identities, and grant any permission.
This control would extend to all connected Microsoft 365 services, such as Exchange Online and SharePoint Online, as well as any resources hosted in Azure.
The nature of the vulnerability made it exceptionally dangerous due to its stealth. Requesting and using the malicious tokens generated no logs in the victim’s tenant, meaning an attacker could have exfiltrated sensitive information without leaving a trace. This includes:
- User information and personal details
- Group memberships and administrative roles
- Tenant configuration and security policies
- Application and Service Principal data
- Device information and BitLocker recovery keys
While reading data was traceless, modifying objects (like adding a new admin) would generate audit logs. However, these logs would confusingly show the impersonated admin’s user name but with the display name of a Microsoft service like “Office 365 Exchange Online,” which could be easily overlooked without specific knowledge of the attack, Dirk-jan Mollema said.
To execute the attack, an adversary would only need a target’s public tenant ID and a valid internal user identifier (netId). The researcher noted that these netIds could be discovered by brute-force or, more alarmingly, by “hopping” across tenants that have guest user (B2B) trusts, potentially allowing for an exponential spread of compromise across the cloud ecosystem.
The researcher reported the vulnerability to the Microsoft Security Response Center (MSRC) on July 14, 2025, the same day it was discovered. Microsoft acknowledged the severity and deployed a global fix by July 17, 2025.
Further mitigations were rolled out in August to prevent applications from requesting these types of Actor tokens for the Azure AD Graph API.
According to Microsoft’s investigation of its internal telemetry, no evidence of this vulnerability being abused in the wild was found. The researcher has provided a Kusto Query Language (KQL) detection rule for organizations to hunt for any potential signs of compromise in their own environments.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
