#microsoft-entra-id

#microsoft-entra-id

A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant. The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There is no indication that the issue was exploited in the wild. It has been addressed by the Windows maker as of July 17, 2025, requiring no customer action.

Dutch security researcher Dirk-jan Mollema discovered a critical vulnerability in Microsoft Entra ID that allowed full access to every tenant in the world. Microsoft fixed the problem within days of being notified. The flaw consisted of undocumented impersonation tokens and a validation error in the old Azure AD Graph API. With this vulnerability, a successful attack would remain completely invisible. This is because there was no logging for requesting Actor tokens. Even if there had been, it would only appear in the attacker's tenant, not in the victim's.

Mollema has studied Entra ID security in depth and published multiple studies about weaknesses in the system, which was formerly known as Azure Active Directory. But while preparing to present at the Black Hat security conference in Las Vegas in July, Mollema discovered two vulnerabilities that he realized could be used to gain global administrator privileges-essentially god mode-and compromise every Entra ID directory, or what is known as a "tenant."