Key Takeaways:
- A Microsoft Entra ID vulnerability exposed millions of tenants to potential cross-tenant attacks.
- The flaw involved flawed token validation in a legacy API now set for deprecation.
- Microsoft has patched the issue, but experts urge stronger monitoring and migration to modern APIs.
Cybersecurity researchers have discovered a critical privilege escalation vulnerability in Microsoft Entra ID (formerly Azure Active Directory). This security flaw could allow hackers to compromise any Entra ID tenant worldwide.
Find out more at Cayosoft.com
Security researcher Dirk-jan Mollema reported this vulnerability (tracked as CVE-2025-55241) to the Microsoft Security Research Center (MSRC) in July. This flaw, which received a CVSS score of 9.0, was mitigated on September 4. However, it involves flawed token validation that could lead to cross-tenant access.
How does the Microsoft Entra ID flaw work?
According to Mollema, this critical vulnerability stems from an authentication failure in the Azure AD Graph API. It’s a legacy interface that allows developers to programmatically access and manage Azure Active Directory resources. Microsoft plans to deprecate this service later this year.
This authentication failure allows unauthorized users to abuse certain internal tokens known as “Actor tokens.” These tokens are typically used for service-to-service communication within Microsoft’s infrastructure. However, the flawed validation logic in the legacy Azure AD Graph API could allow attackers to craft and use these tokens to impersonate users across different tenants. This method enabled hackers to bypass normal security checks (such as conditional access policies) without leaving any trace in logs.
This vulnerability is especially dangerous because it breaks tenant isolation. An attacker from one organization could exploit the tokens and guess user identifiers to gain access to another organization’s resources. Since the tokens were unsigned, they couldn’t be revoked during their lifespan and were accepted without proper verification.
“I tested this in a few more test tenants I had access to, to make sure I was not crazy, but I could indeed access data in other tenants, as long as I knew their tenant ID (which is public information) and the netID of a user in that tenant,” Mollema explained.
Microsoft’s mitigation and response
Microsoft has not found any evidence that this vulnerability has been exploited in the wild. The company says that the flaw has been fully mitigated, and users don’t need to take any further action. However, the researcher has shared KQL (Kusto Query Language) scripts that administrators can use to investigate their environments for signs of potential abuse related to the Entra ID vulnerability.
“We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative (SFI). We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem. We found no evidence of abuse of this vulnerability, and to maintain transparency, we issued a no-action CVE-2025-55241,” Microsoft said in a statement to Dark Reading.
Recommendations for organizations
To protect organizations from this Entra ID vulnerability, administrators should ensure that all systems are updated with the latest security patches. Microsoft has already blocked the use of the flawed Actor tokens, but organizations should also migrate from the deprecated Azure AD Graph API to modern APIs like Microsoft Graph.
Additionally, organizations should implement robust monitoring using tools like Microsoft Sentinel to look for signs of suspicious token activity. It’s also advised to strengthen conditional access policies, enforce least privilege access, and conduct regular audits of identity configurations.