This Microsoft Entra ID Vulnerability Could Have Caused a Digital Catastrophe

A critical vulnerability in Microsoft’s Entra ID identity and access management system has been uncovered that could have led to a catastrophic breach, allowing attackers near-total access to all Azure customer accounts. Security researcher Dirk-jan Mollema discovered two major flaws in Entra ID, the core system managing identity, access, applications, and subscriptions across Microsoft Azure. These flaws could have granted attackers global administrator rights, enabling them to control and compromise nearly every Entra ID tenant worldwide.

 

The first vulnerability involves "Actor Tokens," undocumented authentication tokens used internally by Microsoft’s backend services. These tokens were not subject to modern security policies like Conditional Access, enabling attackers to bypass defenses and impersonate any user within any tenant, including Global Admins—the highest privilege accounts. The second flaw exploited a weakness in the legacy Azure Active Directory (AD) Graph API, which failed to properly validate tenant origin requests, allowing cross-tenant access and further expanding the attack surface.

 

Together, these vulnerabilities meant an attacker could authenticate as any user in any Entra ID tenant, modify or create accounts, grant permissions, and steal or manipulate sensitive data spanning Microsoft 365 and Azure resources. The vulnerabilities were linked to legacy systems still operating within Entra ID and posed a major risk due to lack of logging and traceability for malicious activity.

 

Mollema reported the issues to Microsoft in July 2025, and rapid patches were deployed to close the security gaps. However, experts warn that had these flaws been exploited by malicious actors, the consequences could have been devastating on a global scale, potentially compromising data for thousands of organizations relying on Azure cloud infrastructure.

Microsoft’s Entra platform plays a crucial role in cloud identity management, so vulnerabilities of this nature highlight the challenges of securing legacy infrastructure amid rapid cloud adoption. The incident emphasizes the critical importance of continuous security evaluation, patching, and migration from deprecated services to protect against escalating cyber risks.

This vulnerability has been assigned CVE-2025-55241 and is a reminder that identity and access management remains a prime target for attackers seeking expansive control over enterprise environments.

 

Key Details:

- Vulnerabilities affect Microsoft Entra ID, impacting Azure tenants globally

- Actor Tokens are undocumented tokens not subject to standard policies

- Legacy Azure AD Graph API failed to validate tenant requests securely

- Potential impact: full global admin account takeover and data compromise

- Microsoft patched the flaws swiftly upon disclosure

- Lack of logging and detection made the vulnerability especially dangerous

- Majority of Azure customers could have been affected except some government clouds 

 

This discovery underlines existing risks as enterprises continue shifting critical infrastructure to cloud platforms like Azure, underscoring the need for vigilance around legacy authentication mechanisms and identity security.wired+4

 

1. https://www.wired.com/story/microsoft-entra-id-vulnerability-digital-catastrophe/
2. https://www.itnews.com.au/news/actor-auth-tokens-gave-global-admin-access-across-azure-entra-id-tenants-620374
3. https://cybersecuritynews.com/microsofts-entra-id-vulnerability/
4. https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
5. https://zeropath.com/blog/cve-2025-55241-azure-entra-elevation-of-privilege-summary
6. https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/
7. https://learn.microsoft.com/en-us/entra/fundamentals/zero-trust-protect-identities
8. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-version-history
9. https://cyber.gc.ca/en/alerts-advisories/microsoft-security-advisory-september-2025-monthly-rollup-av25-582
10. https://www.linkedin.com/posts/bibin-sasi-kumar_microsoft-september-2025-patch-tuesday-fixes-activity-7371595841356263424-2XSk
11. https://learn.microsoft.com/en-us/entra/fundamentals/whats-new