Microsoft Entra ID Critical Vulnerability: A Deep Dive into CVE-2025-55241

A critical security flaw in Microsoft Entra ID, designated CVE-2025-55241, was recently brought to light. This vulnerability, discovered by security researcher Dirk-jan Mollema, could have allowed an attacker to seize complete administrative control over any tenant in Microsoft’s global cloud infrastructure. This post breaks down the vulnerability, its potential impact, and crucial steps for your organization.

Vulnerability Details

CVE-2025-55241 presented a maximum severity risk, earning a CVSS base score of 10.0. This flaw allowed for cross-tenant access, enabling an attacker to impersonate any user, including Global Administrators, in any target organization’s tenant. The researcher described it as “the most impactful vulnerability I will probably ever find.”

The attack mechanism relied on two distinct components:

• Actor Tokens: These are undocumented, internal-use tokens. Microsoft services use them for service-to-service communication. Crucially, these tokens bypass standard security policies such as Conditional Access.
• Azure AD Graph API Flaw: The deprecated Azure AD Graph API contained a significant validation error. It failed to verify that an incoming Actor token originated from the same tenant it attempted to access. The API accepted a token from a different tenant if the request included a valid tenant ID and user identifier for the target.

An attacker combined these components for cross-tenant impersonation. They could request an Actor token within their own controlled environment. Then, they used that token to authenticate against the Azure AD Graph API of a targeted organization. The attacker only needed the target’s public tenant ID and a valid internal user identifier (netId) for a user within that tenant. NetIds could be discovered through brute-force or by “hopping” across tenants with guest user trusts, creating a potential for widespread compromise.

Impact Analysis

Successful exploitation of CVE-2025-55241 would grant an attacker unrestricted control over your target tenant. This control extends to all integrated services. Impersonating a Global Administrator meant an attacker achieved complete power over your organization’s Microsoft cloud footprint. They could modify tenant-wide settings, create new identities, or take over existing ones. They could grant any permission to any user or application. This access extended to all connected Microsoft 365 services like Exchange Online and SharePoint Online. It also included managing resources in your Azure environment.

One of the most dangerous aspects was the attack’s stealth. An attacker could use malicious tokens for read-only operations. This allowed them to exfiltrate vast amounts of sensitive information without leaving traces in the victim’s tenant logs. Data at risk included user information, group memberships, administrative roles, tenant configurations, application data, and device information.

Detection Methods

The design of this vulnerability prioritized stealth. This made detection extremely difficult. Read operations using Actor tokens generated no sign-in or audit logs within the target tenant. Any logs appeared only in the attacker’s own tenant. For write operations, audit logs were confusing. They attributed the action to the impersonated administrator but displayed the name of a trusted Microsoft service, like “Office 365 Exchange Online.” Without specific knowledge of this attack vector, security teams could easily overlook such entries.

Even though Microsoft has patched the vulnerability, proactive hunting remains crucial for historical abuse. You should utilize specific Kusto Query Language KQL detection rules. These rules can help search for any past signs of compromise related to this vector. Check your audit logs for unusual activities from trusted Microsoft services. Look for activity that does not align with expected service behavior. Focus on activities linked to administrative changes or extensive data access.

Mitigation Strategies

Microsoft responded swiftly, deploying a global fix within three days of the report. They also implemented further mitigations in August 2025. This prevents applications from requesting Actor tokens for this API. While no further action is required from users regarding the patch itself, proactive security hygiene is essential. Implement these strategies to strengthen your defenses:

• Audit Legacy Applications: Identify and verify that no applications in your environment still depend on the deprecated Azure AD Graph API. Legacy APIs often introduce unforeseen security risks.
• Migrate to Microsoft Graph: Prioritize the migration of any remaining applications from the Azure AD Graph API to the modern Microsoft Graph API. Microsoft Graph offers stronger security, better logging, and enhanced auditing capabilities.
• Enforce Least Privilege: Continuously audit permissions. Apply least-privilege principles to all users and service principals. This limits the potential impact of any future compromise.

References and CVSS Details

The vulnerability, CVE-2025-55241, received a CVSS base score of 10.0, indicating its critical severity. Dirk-jan Mollema reported this flaw to the Microsoft Security Response Center MSRC on July 14, 2025. Microsoft acknowledged the severity and deployed a global fix by July 17, 2025. A CVE was formally raised on September 4, 2025. Microsoft’s investigation of internal telemetry found no evidence of this vulnerability being exploited in the wild. The company confirmed the vulnerability is fully mitigated. For further reading, consult the original researcher’s blog and Microsoft’s official security advisories on the MSRC website.