Table of Contents

    About the Author

    Connor Jackson

    Connor Jackson

    Connor Jackson is a Security Research Manager at CyberMaxx, with a background in forensics, reverse engineering, and threat-hunting. Check out Connor's LinkedIn

    More Articles

    Get Our Blogs Directly to Your Inbox, Every Friday

    Additional Resources:

    Extortion Without Encryption: The Next Phase of Ransomware

    Extortion Without Encryption: The Next Phase of Ransomware

    Articles

    5 min read

    The ROI of Response: Why Modern MDR Saves More Than It Costs

    The ROI of Response: Why Modern MDR Saves More Than It Costs

    Articles

    5 min read

    Microsoft issued an emergency fix in September 2025 for CVE-2025-55241, a critical elevation-of-privilege flaw in Entra ID (formerly Azure Active Directory) that could have allowed an attacker to impersonate any user, including Global Admins, across tenants.

    How the Vulnerability Worked

    The flaw arose from two interacting issues. Security researcher Dirk-Jan Mollema found that an undocumented “Actor” token mechanism used by internal Microsoft services could be requested from a benign tenant and then accepted by a legacy Azure AD Graph API in a different tenant because the API failed to reliably validate the originating tenant claim. That combination lets an attacker present an Actor token from their own tenant and authenticate as arbitrary users in target tenants.

    Impact and Exploit Potential

    Practical impact was severe. An attacker who obtained and replayed such a token could read and modify directory data, create service principals, change roles, and take control of applications and policies (effectively full tenant compromise in many cases). Because Actor tokens were not subject to Conditional Access controls and, in some paths, generated little or no tenant logging, detection, and containment would have been difficult. Multiple security analyses labelled the vulnerability critical and noted it could have undermined the trust boundary of cloud identity itself.

    Microsoft’s Response and Mitigation

    Microsoft confirmed it received the vulnerability report in mid-July 2025, rolled out a targeted mitigation to stop cross-tenant acceptance of Actor tokens, and accelerated decommissioning of the legacy Graph API usage paths implicated in the issue. Microsoft and third-party observers reported no evidence of active exploitation prior to the fix. Administrators were advised to ensure their tenants had received Microsoft’s update and to remove or replace any remaining dependencies on Azure AD Graph in favor of Microsoft Graph. No further actions are required at this time.

    Recommended Actions for Administrators

    Longer term the incident reinforces two operational lessons for cloud identity: reduce your attack surface by retiring legacy APIs, and demand strong, tenant-aware token validation and telemetry from identity providers. For defenders, the immediate actions are straightforward: verify Microsoft’s patch state for your tenant, inventory, and migrate away from Azure AD Graph, and review privileged roles and service principals for unexpected changes. Independent writeups and the original researcher’s technical disclosure provide detailed indicators and exploit mechanics for teams that need to hunt or harden.