Microsoft has patched a critical vulnerability in Entra ID (formerly Azure Active Directory) that could have allowed attackers to gain Global Admin privileges in any tenant worldwide.

The flaw, tracked as CVE-2025-55241, was reported by security researcher Dirk-Jan Mollema, who discovered a dangerous combination of legacy tokens and a deprecated API.

At the heart of the issue were undocumented “actor tokens,” originally issued by Microsoft’s old Access Control Service. These tokens were designed for service-to-service authentication, particularly in hybrid Exchange and SharePoint environments. However, Mollema found that actor tokens were not signed, could be crafted without Entra ID involvement, and had a 24-hour validity period during which they could not be revoked. Even worse, their use generated no logs in the tenant, making detection nearly impossible.

The second piece of the puzzle was the deprecated Azure AD Graph API (graph.windows.net). When combined with actor tokens, it allowed attackers to impersonate any user in any tenant — including Global Admins. Mollema demonstrated that with only a tenant ID (publicly available) and a user NetID, an attacker could craft a malicious impersonation token, access sensitive tenant data, escalate privileges to Global Administrator, and perform read/write actions without leaving meaningful traces.

Mollema reported the issue to Microsoft on July 14, 2025. The company confirmed the vulnerability and issued a fix within nine days. On September 4, 2025, Microsoft released a security update addressing the flaw, describing it as a critical privilege escalation vulnerability. The tech giant also reiterated its plans to fully deprecate the Azure AD Graph API, warning developers to migrate to Microsoft Graph for security and long-term support.

READ
Opera GX Fixes Critical Browser Flaw That Could Secretly Leak Your Gmail Address

This vulnerability highlights the risks of legacy authentication systems lingering inside modern cloud platforms. The ability to impersonate users without logs or revocation is a nightmare scenario for enterprise security teams, especially when it applies across every Microsoft Entra tenant worldwide. Organizations using Entra ID for access to Microsoft 365, Salesforce, Dropbox, Google Cloud, AWS, and other apps could have been exposed.


Buy ExpressVPN with PayPal or Credit Card

While Microsoft has patched CVE-2025-55241, the incident underscores the importance of phasing out legacy authentication methods, closely monitoring deprecation timelines for old APIs, and implementing robust security monitoring beyond tenant logs. For now, admins are urged to ensure their systems are up to date and to audit applications still relying on deprecated services.

Advertisement