"A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant. The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There is no indication that the issue was exploited in the wild. It has been addressed by the Windows maker as of July 17, 2025, requiring no customer action."
"The problem stems from a combination of two components: the use of service-to-service (S2S) actor tokens issued by the Access Control Service (ACS) and a fatal flaw in the legacy Azure AD Graph API (graph.windows.net) that did not adequately validate the originating tenant, which effectively allowed the tokens to be used for cross-tenant access. What makes this noteworthy is that the tokens are subject to Microsoft's Conditional Access policies, enabling a bad actor with access to the Graph API to make unauthorized modifications."
A critical token validation failure in Microsoft Entra ID could allow attackers to impersonate any user, including Global Administrators, across tenants. The vulnerability, tracked as CVE-2025-55241 and scoring 10.0, combined S2S actor tokens issued by the Access Control Service (ACS) with a flaw in the legacy Azure AD Graph API that failed to validate the originating tenant, enabling cross-tenant access. Tokens were subject to Conditional Access policies, permitting unauthorized modifications, and the legacy Graph API lacked API-level logging, allowing access to user, group, role, tenant, application and device data without traces. Microsoft remediated the issue on July 17, 2025; no customer action required.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]