A severe vulnerability in Microsoft's Entra ID could have allowed an attacker to take over any customer's account, or "tenant," in Microsoft’s global cloud. The flaw, which has now been patched, was discovered in July 2025 and is identified as CVE-2025-55241.
The researcher who found the bug described it as one of the most impactful he'll ever find. It was a combination of a legacy authentication method and an error in an API's validation process.
How the Attack Worked
The attack, detailed by researcher Dirk-jan Mollema, exploited two key components:
- Actor Tokens: These are internal, undocumented tokens that Microsoft services use to communicate. Unlike regular tokens, they are not subject to standard security policies.
- Azure AD Graph API Flaw: A critical bug in the older Azure AD Graph API failed to check if an incoming Actor token was from the correct tenant.
This failure meant an attacker could get a token from their own environment and use it to impersonate any user in a different organization’s tenant, including Global Administrators.
The Dangers of the Flaw
By impersonating a Global Admin, an attacker could get complete control over a tenant. This includes the ability to:
- Change tenant settings.
- Create or take over user accounts.
- Grant any permissions.
This level of control would also extend to all linked Microsoft 365 services, such as Exchange Online and SharePoint Online, as well as any resources in Azure.
What made the vulnerability especially dangerous was its stealth. The malicious tokens created no logs in the victim's tenant, so an attacker could steal sensitive information without leaving a trace. This includes personal details, group memberships, and even BitLocker recovery keys. While modifying objects would create logs, they would show the impersonated admin's name but with a misleading service name, making the activity easy to miss.
To execute the attack, a hacker would only need the target's tenant ID and a valid internal user ID, both of which could be found through brute force or by "hopping" between connected tenants.
Microsoft's Response
The researcher reported the vulnerability to the Microsoft Security Response Center on July 14, 2025. Microsoft quickly acknowledged the issue and deployed a global fix by July 17, 2025. Further security measures were added in August.
According to Microsoft, there is no evidence that this vulnerability was ever used in the wild. The researcher has also provided a detection rule to help organizations check their own environments for any signs of potential compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
