A critical **token validation failure (CVE-2025-55241, CVSS 10.0)** in **Microsoft Entra ID (formerly Azure AD)** was discovered by researcher **Dirk-jan Mollema**, enabling attackers to **impersonate any user—including Global Administrators—across any tenant** without exploitation evidence. The flaw stemmed from **improper tenant validation in the deprecated Azure AD Graph API** and misuse of **S2S actor tokens**, allowing **cross-tenant access** while bypassing **MFA, Conditional Access, and logging**.An attacker exploiting this could **create admin accounts, exfiltrate sensitive data (user info, BitLocker keys, tenant settings, Azure subscriptions), and fully compromise services** like **SharePoint Online, Exchange Online, and Azure-hosted resources**. The **legacy API’s lack of logging** meant **no traces** of intrusion would remain. Microsoft patched it on **July 17, 2025**, but the **deprecated API’s retirement (August 31, 2025)** left lingering risks for un migrated apps.Security firms like **Mitiga** warned of **full tenant takeover risks**, emphasizing how **misconfigurations in cloud identity systems** (e.g., OAuth, Intune, APIM) could lead to **lateral movement, privilege escalation, and persistent access**—exposing **enterprise data, financial records, and operational control** to silent, high-impact breaches.
Source: https://thehackernews.com/2025/09/microsoft-patches-critical-entra-id.html
TPRM report: https://www.rankiteo.com/company/microsoft
"id": "mic4733147092225",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'All Microsoft Entra ID (Azure '
'AD) tenants (excluding national '
'cloud deployments)',
'industry': 'Technology (Cloud Services, Identity '
'Management)',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large (Enterprise)',
'type': 'Corporation'}],
'attack_vector': ['Network',
'Token Manipulation',
'API Abuse (Azure AD Graph API)'],
'customer_advisories': ['No customer action required for the vulnerability '
'patch.',
'Customers advised to review and update applications '
'relying on deprecated Azure AD Graph API.'],
'data_breach': {'data_exfiltration': 'Potential (no evidence of exploitation '
'in the wild)',
'personally_identifiable_information': 'Potential (via user '
'profile data in Entra '
'ID)',
'sensitivity_of_data': 'High (includes administrative '
'credentials and encryption keys)',
'type_of_data_compromised': ['User identities',
'Group/role memberships',
'Tenant configurations',
'Application permissions',
'Device metadata (including '
'BitLocker keys)',
'Azure resource access '
'credentials']},
'date_detected': '2025-07-14',
'date_publicly_disclosed': '2025-07-17',
'date_resolved': '2025-07-17',
'description': 'A critical token validation failure in Microsoft Entra ID '
'(previously Azure Active Directory) could have allowed '
'attackers to impersonate any user, including Global '
'Administrators, across any tenant. The vulnerability, tracked '
'as CVE-2025-55241, was assigned a CVSS score of 10.0 and '
'stemmed from a combination of service-to-service (S2S) actor '
'tokens issued by the Access Control Service (ACS) and a flaw '
'in the legacy Azure AD Graph API that did not validate the '
'originating tenant. This allowed cross-tenant access, '
'bypassing MFA, Conditional Access, and logging. The issue was '
'reported by security researcher Dirk-jan Mollema on July 14, '
'2025, and patched by Microsoft on July 17, 2025, with no '
'evidence of exploitation in the wild.',
'impact': {'brand_reputation_impact': 'High (due to potential for undetected, '
'large-scale impersonation and data '
'exfiltration)',
'data_compromised': ['User information (Entra ID)',
'Group and role details',
'Tenant settings',
'Application permissions',
'Device information',
'BitLocker keys',
'Azure resource access (via Global Admin '
'impersonation)'],
'identity_theft_risk': 'High (impersonation of Global Admins and '
'users)',
'operational_impact': 'Potential full tenant compromise, including '
'unauthorized account creation, permission '
'escalation, and data exfiltration across '
'all Entra ID-integrated services.',
'systems_affected': ['Microsoft Entra ID (Azure AD)',
'Azure AD Graph API (graph.windows.net)',
'SharePoint Online',
'Exchange Online',
'Azure-hosted resources (via tenant-level '
'access)']},
'initial_access_broker': {'entry_point': 'Legacy Azure AD Graph API '
'(graph.windows.net) via flawed S2S '
'actor token validation',
'high_value_targets': ['Global Administrator roles',
'Entra ID tenant '
'configurations',
'Azure subscription '
'permissions',
'BitLocker keys',
'SharePoint/Exchange Online '
'data']},
'investigation_status': 'Resolved (patched; no evidence of exploitation)',
'lessons_learned': ['Legacy APIs (e.g., Azure AD Graph) can introduce '
'critical vulnerabilities if not properly deprecated or '
'secured.',
'Cross-tenant access risks in cloud identity systems '
'require robust tenant isolation and token validation.',
'Lack of API-level logging can enable stealthy '
'exploitation without detection.',
'Conditional Access and MFA can be bypassed if underlying '
'identity validation mechanisms are flawed.',
'Proactive migration from deprecated services is '
'essential to mitigate emerging risks.'],
'post_incident_analysis': {'corrective_actions': ['Server-side patch to '
'enforce tenant validation '
'in token processing.',
'Accelerated deprecation of '
'Azure AD Graph API '
'(retired August 31, 2025).',
'Enhanced guidance for '
'migrating to Microsoft '
'Graph.',
'Internal review of '
'high-privileged access '
'(HPA) scenarios in Entra '
'ID.'],
'root_causes': ['Inadequate tenant validation in '
'Azure AD Graph API for S2S actor '
'tokens.',
'Over-reliance on deprecated '
'legacy APIs without enforced '
'migration timelines.',
'Lack of API-level logging for the '
'Graph API, enabling stealthy '
'exploitation.',
'Conditional Access policies '
'applied to tokens that could be '
'manipulated cross-tenant.']},
'recommendations': ['Accelerate migration from Azure AD Graph API to '
'Microsoft Graph before the August 31, 2025 deadline.',
'Implement stricter token validation for '
'service-to-service (S2S) interactions, especially in '
'multi-tenant environments.',
'Enhance logging for legacy APIs to detect anomalous '
'cross-tenant access attempts.',
'Review and audit applications with high-privileged '
'access (HPA) to Entra ID and Azure resources.',
'Monitor for unusual Global Administrator activity, such '
'as unexpected permission grants or account creations.',
'Adopt zero-trust principles for cloud identity systems, '
'including least-privilege access and continuous '
'validation.',
'Conduct regular red-team exercises to test for '
'cross-tenant impersonation and privilege escalation '
'scenarios.'],
'references': [{'date_accessed': '2025-07-17',
'source': 'Microsoft Security Response Center (MSRC)',
'url': 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241'},
{'date_accessed': '2025-07-14',
'source': 'Dirk-jan Mollema (Researcher Blog)'},
{'date_accessed': '2025-07',
'source': 'Mitiga Research (Roei Sherman)'},
{'date_accessed': '2025-06',
'source': 'Microsoft Deprecation Notice for Azure AD Graph '
'API',
'url': 'https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-graph-retirement-august-31-2025/ba-p/4123456'}],
'response': {'communication_strategy': ['Public disclosure via Microsoft '
'Security Response Center (MSRC)',
'Technical blog post by researcher '
'Dirk-jan Mollema',
'Advisories from cloud security firms '
'(e.g., Mitiga)'],
'containment_measures': ['Patch deployed by Microsoft on July '
'17, 2025',
'Deprecation and retirement of Azure AD '
'Graph API (effective August 31, 2025)',
'Migration guidance to Microsoft Graph '
'for affected applications'],
'incident_response_plan_activated': True,
'remediation_measures': ['No customer action required '
'(server-side patch)',
'Encouragement to migrate from Azure AD '
'Graph API to Microsoft Graph',
'Review of applications with extended '
'access to Azure AD Graph API']},
'stakeholder_advisories': ['Microsoft urged customers to migrate from Azure '
'AD Graph API to Microsoft Graph by August 31, '
'2025.',
'Applications with extended access to Azure AD '
'Graph API were warned of impending API retirement '
'in early September 2025.'],
'title': 'Critical Token Validation Failure in Microsoft Entra ID '
'(CVE-2025-55241)',
'type': ['Privilege Escalation', 'Impersonation', 'Cross-Tenant Access'],
'vulnerability_exploited': 'CVE-2025-55241 (Token Validation Failure in '
'Microsoft Entra ID / Azure AD Graph API)'}