Entra ID CVE-2025-55241 Flaw Exposed Global Admin Access

CVE-2025-55241: Microsoft Entra ID Flaw with CVSS 10.0 Could Have Compromised Every Tenant Worldwide

Estimated reading time: 10 minutes

Key takeaways:

• A critical vulnerability, CVE-2025-55241, in Microsoft Entra ID could have allowed attackers to compromise virtually every tenant worldwide.
• The vulnerability stemmed from a combination of insecure “Actor tokens” and a validation failure within the legacy Azure AD Graph API.
• Microsoft addressed the vulnerability by patching it within days of the report and blocking Actor tokens from being requested for Azure AD Graph.

Table of Contents:

• Understanding CVE-2025-55241
• Technical Breakdown of the Vulnerability
• Actor Tokens: A Deep Dive
• Tenant Boundary Validation Failure
• Attack Scenario
• Remediation
• Parallels to Other Security Incidents
• Practical Takeaways and Actionable Advice
• PurpleOps and Cybersecurity Solutions
• Call to Action
• FAQ

Understanding CVE-2025-55241

The vulnerability, CVE-2025-55241: Microsoft Entra ID Flaw with CVSS 10.0 Could Have Compromised Every Tenant Worldwide, stemmed from a combination of insecure “Actor tokens” and a validation failure within the legacy Azure AD Graph API. Security researcher Dirk-jan Mollema discovered that these two elements could be chained to bypass security controls and achieve global administrator privileges in any Entra ID tenant. The CVSS score of 10 highlights the severity of this vulnerability, indicating the potential for widespread and significant impact.

Technical Breakdown of the Vulnerability

The issue combined two primary elements:

1. Undocumented Impersonation Tokens (Actor Tokens): Microsoft uses these tokens for backend service-to-service authentication. They are special JSON Web Tokens (JWTs) issued by Microsoft’s Access Control Service, allowing services like Exchange Online or SharePoint to impersonate users.
2. Critical Validation Flaw in Azure AD Graph API: The legacy Azure AD Graph API failed to properly enforce tenant boundaries. This API, while deprecated, still functioned in a way that allowed it to be exploited.

Mollema found that with an Actor token requested in a test tenant, he could authenticate as any user, including Global Admins, in any other tenant. This bypasses Conditional Access policies, effectively rendering administrator configurations useless against such an attack.

Actor Tokens: A Deep Dive

Actor tokens are designed to let services impersonate users. However, their design lacked fundamental security controls:

• No Logging: Neither the issuance nor the usage of Actor tokens were logged.
• No Revocation: The tokens could not be revoked before their 24-hour expiry.
• Conditional Access Bypass: Actor tokens bypassed Conditional Access entirely, ignoring configured restrictions.

These shortcomings led Mollema to conclude that the “whole Actor token design is something that never should have existed,” citing the lack of essential security controls. Microsoft internally relies on actor tokens for service-to-service communication and has plans to eliminate them, referring to them as “high-privileged access (HPA)” tokens.

Tenant Boundary Validation Failure

The Azure AD Graph API’s failure to validate tenant IDs formed the second critical component of the vulnerability. By altering the tenant ID in an impersonation token, Mollema accessed data in other tenants. As long as he knew a tenant’s ID (public information) and the netId of a user in that tenant, he could query data.

From this point, attackers could escalate privileges:

• Impersonate a regular user to enumerate information.
• Identify Global Admins and craft tokens for them.
• Achieve full tenant takeover, gaining access to Microsoft 365 and Azure resources.

Compounding the risk, these actions did not generate logs in the victim tenant, making detection exceptionally difficult. Even the supposedly secret netId values were vulnerable, as Mollema discovered they were incremental and brute-forceable. Attackers could also abuse B2B trust relationships, using guest accounts to pivot between tenants.

Attack Scenario

An attacker could have followed these steps to exploit the vulnerability:

1. Generate an Actor token from a tenant they control.
2. Find the tenant ID of the targeted environment using public APIs based on the domain name.
3. Find a valid netId of a regular user in the target tenant.
4. Craft an impersonation token with the Actor token from the attacker tenant, using the tenant ID and netId of the user in the victim tenant.
5. List all Global Admins in the tenant and their netId.
6. Craft an impersonation token for a Global Admin.
7. Perform any read/write action through the Azure AD Graph API.

Only activity in the last step would be recorded in the victim tenant, leaving minimal traces of the earlier stages.

Remediation

Mollema responsibly disclosed the flaw to Microsoft’s Security Response Center (MSRC). Microsoft addressed the vulnerability by:

• Patching the vulnerability within days of the report.
• Blocking Actor tokens from being requested for Azure AD Graph.
• Issuing CVE-2025-55241.

Microsoft began the deprecation process for the Azure AD Graph API service in September of the previous year, indicating a move away from the vulnerable component. Apps configured for extended access but still using Azure AD Graph would no longer be able to use the APIs.

Parallels to Other Security Incidents

This incident shares similarities with other cloud-based identity and access management vulnerabilities. The core problem involves a failure in proper validation and boundary enforcement, which can have catastrophic consequences in multi-tenant environments. Consider the recent incident involving an exposed Oracle Database, which led to a ransomware attack. This highlights the need for secure configurations and diligent patch management across all systems.

Practical Takeaways and Actionable Advice

For technical readers:

• Review your identity and access management configurations: Ensure strict adherence to the principle of least privilege.
• Monitor API usage: Even deprecated APIs can pose a risk if they remain active. Implement monitoring to detect unusual activity.
• Audit service-to-service authentication mechanisms: Understand how your services authenticate to each other and identify potential weaknesses.
• Implement real-time ransomware intelligence: Leverage a PurpleOps Solutions to keep up with the latest ransomware threats.
• Improve breach detection: Implement comprehensive breach detection mechanisms to identify and respond to security incidents promptly.

For non-technical readers and business leaders:

• Ensure timely patching: Implement a policy for promptly applying security patches to mitigate known vulnerabilities.
• Conduct regular security audits: Have your systems and configurations regularly audited by cybersecurity professionals.
• Invest in cyber threat intelligence: Stay informed about emerging threats and vulnerabilities that could impact your organization.
• Implement supply-chain risk monitoring: Monitor the security practices of your third-party vendors to minimize the risk of supply chain attacks.
• Invest in brand leak alerting: Use a PurpleOps Solutions to monitor for potential brand leaks.
• Establish a robust incident response plan: Develop a plan to respond effectively to security incidents, including steps for containment, eradication, and recovery.

PurpleOps and Cybersecurity Solutions

PurpleOps provides a range of services designed to help organizations secure their cloud environments and protect against threats like the one described above. Our expertise in PurpleOps Solutions, PurpleOps Solutions, and real-time ransomware intelligence allows us to provide comprehensive protection against various cyber threats.

We offer solutions for:

• Breach Detection: Advanced monitoring and analysis to detect and respond to security incidents.
• Supply-Chain Risk Monitoring: Assessment of the security posture of your vendors to mitigate supply chain attacks.
• Brand Leak Alerting: Monitoring the dark web and underground forums for sensitive information about your organization.
• Telegram threat monitoring: Providing visibility into threat actors communication for better threat intelligence.
• Underground forum intelligence: Deep dives into hidden online communities that allows the anticipation of cyberattacks.

Our red team operations and penetration testing services can help you identify vulnerabilities in your systems before attackers can exploit them. Additionally, our cyber threat intelligence services provide actionable insights into emerging threats, enabling you to proactively defend against attacks.

Call to Action

Protect your organization from emerging cyber threats. Contact PurpleOps today to learn more about our cybersecurity services and how we can help you secure your cloud environment. Explore our PurpleOps Solutions, PurpleOps Solutions, red team operations, penetration testing, and supply chain information security services. You can also visit our platform and PurpleOps Solutions pages for more information. Secure your perimeter with PurpleOps protect ransomware solutions.

FAQ

What is CVE-2025-55241?
CVE-2025-55241 is a critical vulnerability in Microsoft Entra ID that could have allowed attackers to compromise virtually every tenant worldwide.

How was the vulnerability exploited?
The vulnerability was exploited through a combination of insecure “Actor tokens” and a validation failure within the legacy Azure AD Graph API.

What steps were taken to remediate the vulnerability?
Microsoft addressed the vulnerability by patching it within days of the report and blocking Actor tokens from being requested for Azure AD Graph.