A Dutch security researcher has discovered a vulnerability that allowed cybercriminals to take over systems.
Microsoft has resolved a serious security flaw in the cloud service Entra ID. It allowed cybercriminals to gain full control over all Entra ID tenants worldwide.
Untraceable Tokens
The vulnerability, CVE-2025-55241, was discovered in July and resolved by Microsoft within just a few days. Security researcher Dirk-Jan Mollema describes in his blog that this is “probably the most impactful Entra ID vulnerability” ever found.
The attack was made possible by Actor tokens. These are internal tokens that Microsoft services use to perform actions on behalf of a user. They are not intended for external use and are normally not logged or restricted by security measures.
Due to an error in the outdated programming interface of Azure AD Graph, these tokens were not sufficiently checked. This interface was still being used for logging in via Entra ID. As a result, cybercriminals could use their own tokens to perform actions in other tenants. This made it easy to break into those other tenants and obtain administrator rights. This means that an attacker could create new accounts, grant permissions, or use Microsoft 365 services that are used in that tenant.
Swift Action Taken
The vulnerability was reported on July 14, and three days later Microsoft had already rolled out a global fix. According to Microsoft, there is no evidence that the vulnerability in Entra ID has been actively exploited. Additional measures followed in early August: requesting Actor tokens for the Azure AD Graph API is now blocked, and the validation of tenant IDs has become more comprehensive.