"These Actor tokens were not subject to security policies. Attackers successfully requesting an Actor token within their own tenant could, explains Mollema in a blog post, "authenticate as any user, including Global Admins, in any other tenant." Once created, an Actor token could impersonate anyone against the target service it was requested for, for 24 hours. "In my personal opinion," he writes, "this whole Actor token design is something that never should have existed. It lacks almost every security control that you would want.""
"But it disguises a far greater threat. A few months earlier, Dirk-jan Mollema had discovered a vulnerability that could have allowed him to compromise any Entra ID tenant in the world, outside perhaps of national cloud deployments, without leaving any trace of an incursion. Had that vulnerability been discovered by an adversarial nation-state, the harm done - globally - could have been immense."
A security researcher discovered a vulnerability enabling compromise of any Entra ID tenant worldwide via undocumented Actor impersonation tokens and an Azure AD Graph API validation flaw. Actor tokens operated in backend service-to-service communications and were not subject to security policies or API-level logging. Attackers requesting an Actor token in their own tenant could authenticate as any user, including Global Admins, in other tenants and impersonate them for 24 hours. Token requests left no records, and Azure AD Graph API lacked API-level logs. Microsoft applied CVE-2025-55241 for a related elevation-of-privilege issue and noted no customer action required, while the cross-tenant risk represented a far larger, potentially undetected threat.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]