Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportCVE-2025-55241 represents a critical privilege escalation vulnerability in Microsoft Entra ID (formerly Azure Active Directory) discovered on July 14, 2025, allowing attackers to escalate privileges and impersonate any user across Entra ID tenants, including Global Administrators. This Entra ID vulnerability exploited flaws in undocumented Microsoft-internal “Actor tokens” combined with validation weaknesses in the legacy Azure AD Graph API. The Entra ID security flaw bypassed multi-factor authentication and Conditional Access policies while leaving minimal audit logs, making detection of Entra ID compromise extremely difficult. This Entra ID vulnerability carried a maximum CVSS score of 10.0, representing the highest possible severity for cloud identity systems. Microsoft rapidly deployed a global Entra ID fix after the July 2025 vulnerability report, with no evidence of active exploitation discovered. Organizations must verify Entra ID patching, immediately retire deprecated Azure AD Graph APIs, migrate to Microsoft Graph, and conduct comprehensive reviews of Entra ID audit logs for suspicious activity during the July-August 2025 affected period. This critical Entra ID flaw highlighted significant risks in cloud identity trust boundaries and emphasized the necessity for strict token validation across all Entra ID implementations.
CVE-2025-55241 is a critical privilege-escalation vulnerability in Microsoft Entra ID, carrying a maximum CVSS score of 10.0 and discovered by security researcher Dirk-Jan Mollema in July 2025. This Entra ID vulnerability resulted from the combination of undocumented Microsoft-internal “Actor tokens” and a validation flaw in the legacy Azure AD Graph API. These Entra ID security issues allowed attackers controlling one Entra ID tenant to craft tokens that were improperly accepted by other Entra ID tenants, enabling cross-tenant impersonation of users, including Global Administrators with full Entra ID privileges.
The Entra ID attack chain was unusually simple considering its critical severity. An attacker with access to any Entra ID tenant could obtain an Actor token intended for internal Microsoft service operations within Entra ID infrastructure. When paired with the Azure AD Graph API’s weak tenant-validation logic, this token enabled creation of forged identities that authenticated as arbitrary users in other Entra ID organizations. Actor-token authentication also bypassed multi-factor authentication and Conditional Access policies in Entra ID, and because related Graph API calls produced limited logs, initial reconnaissance and Entra ID exploitation were extremely difficult to detect through standard security monitoring.
Successful impersonation of a Global Administrator through this Entra ID vulnerability could expose or alter sensitive directory data, identity configurations, and application permissions within Entra ID environments, while granting unauthorized access to connected Microsoft 365 and Azure resources. The combination of exploitation ease, stealth characteristics, and potential impact led security researchers to warn that nearly all Entra ID tenants were theoretically vulnerable to this cross-tenant privilege escalation attack. This Entra ID security flaw represented one of the most severe cloud identity vulnerabilities disclosed in 2025.
Microsoft issued a global Entra ID hotfix within three days of the July 14, 2025 vulnerability report and deployed additional mitigations to Entra ID infrastructure by early August 2025. Microsoft reported no evidence of in-the-wild exploitation of this Entra ID vulnerability, though Actor-token usage was not comprehensively logged in Entra ID systems; Microsoft instead relied on broader service telemetry and administrative-activity patterns to identify potential signs of abuse. Because the Entra ID fix was automatically applied globally, the September 4, 2025 security advisory required no customer action for Entra ID protection. However, organizations are strongly urged to retire the deprecated Azure AD Graph API, adopt Microsoft Graph for all Entra ID operations, and review administrative logs for suspicious Entra ID activity during the July to August 2025 vulnerability period.
Organizations must confirm their Entra ID tenant received Microsoft’s automatic fix deployed globally by mid-July 2025. While no customer action was required for the Entra ID patch, administrators should validate their tenant’s patch status through the Microsoft 365 admin center or Azure portal to ensure Entra ID protection is properly in place and the vulnerability has been remediated across all Entra ID infrastructure.
Immediately audit and eliminate all remaining dependencies on the legacy Azure AD Graph API (graph.windows.net) in favor of Microsoft Graph for all Entra ID operations. The legacy API was the vulnerable component enabling this Entra ID attack, and Microsoft has accelerated its decommissioning. Organizations must review all custom applications, scripts, and integrations to identify and update any code still using the deprecated endpoint that could expose Entra ID environments to similar vulnerabilities.
Search Entra ID audit logs for July-August 2025 using provided KQL detection queries to identify potential abuse indicators within Entra ID systems. Specifically look for operations where the display name shows Microsoft services such as Exchange, SharePoint, or Skype, but the user principal name indicates a regular user account rather than legitimate service principals, which could indicate Entra ID Actor token exploitation attempts.
Conduct comprehensive audits of all privileged role assignments within Entra ID, especially Global Administrator accounts, and review service principal permissions and credentials. Examine any new user accounts, credential additions to existing applications, or permission grants created in Entra ID between July to August 2025, as these were common post-exploitation techniques that would have generated audit logs. Implement least-privilege access principles for Entra ID and enable Privileged Identity Management (PIM) for just-in-time administrative access to Entra ID resources.
Review your Entra ID tenant’s guest user configurations and B2B trust relationships, as the vulnerability could be exploited by threat actors hopping across organizational boundaries through Entra ID guest accounts. Evaluate default guest user permissions in Entra ID, restrict external collaboration where not business-critical, and implement stricter controls on which external users can enumerate your Entra ID directory to prevent cross-tenant exploitation vectors.
Get through updates and upcoming events, and more directly in your inbox