A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’
The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
Microsoft has patched a flaw in Entra ID - previously known as Azure Active Directory - that could have given an attacker full access to virtually every single Entra ID tenant in the world.
The vulnerability, CVE-2025-55241, has been given the maximum CVSS score of 10.0, but doesn’t appear to have been exploited in the wild.
However, Dirk-jan Mollema, the security researcher who discovered the flaw, said it was “the most impactful Entra ID vulnerability that I will probably ever find”.
“This vulnerability could have allowed me to compromise every Entra ID tenant in the world (except probably those in national cloud deployments),” Mollema noted in a blog post detailing his discovery.
Notably, Mollema revealed there were two components to the vulnerability. The first centered on undocumented impersonation tokens, called 'Actor tokens', that Microsoft uses in its back-end for service-to-service (S2S) communication.
Secondly, a critical flaw in the Azure AD Graph API meant that it didn't properly validate the originating tenant, allowing these tokens to be used for cross-tenant access.
"Effectively this means that with a token I requested in my lab tenant I could authenticate as any user, including Global Admins, in any other tenant. Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access, which means there was no setting that could have mitigated this for specific hardened tenants," Mollema wrote.
"Since the Azure AD Graph API is an older API for managing the core Azure AD / Entra ID service, access to this API could have been used to make any modification in the tenant that global admins can do, including taking over or creating new identities and granting them any permission in the tenant."
With these compromised identities, Mollema found access could’ve also been extended to Microsoft 365 and Azure.
How the Entra ID flaw worked
Starting with an Actor token, an attacker could find the tenant ID for the victim by using public APIs based on the domain name.
After finding a valid netId of a regular user in the tenant, perhaps through brute force, the attacker could create an impersonation token with the Actor token, using the tenant ID and netId of the user in the victim tenant.
Thereafter, an attacker could then list all global admins in the tenant and their netId, craft an impersonation token for the global admin account, and perform any read or write action over the Azure AD Graph API.
Mollema said that while the vulnerability itself was a bad oversight in the token handling, the whole concept of Actor tokens represents a weakness.
"If it weren’t for the complete lack of security measures in these tokens, I don’t think such a big impact with such limited telemetry would have been possible," he said.
Mollema immediately reported his findings to Microsoft, which fixed it within a few days. The tech giant has since rolled out further mitigation measures to block applications from requesting Actor tokens for the Azure AD Graph API.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Why developers need to sharpen their focus on documentationNews Poor documentation is a leading frustration for developers, research shows, but many are shirking responsibilities – and it's having a huge impact on efficiency.
-
OpenAI says GPT-5.2-Codex is its ‘most advanced agentic coding model yet’News GPT-5.2 Codex is available immediately for paid ChatGPT users and API access will be rolled out in “coming weeks”
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
The Microsoft bug bounty program just got a big update — and even applies to third-party codeNews Microsoft is expanding its bug bounty program to cover all of its products, even those that haven't previously been covered by a bounty before and even third-party code.
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushbackNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
