Microsoft has released a patch for a critical security vulnerability in Entra ID (formerly Azure Active Directory) that could have allowed attackers to impersonate any user — even Global Administrators — across multiple tenants. The flaw, tracked as CVE-2025-55241, was given the maximum CVSS severity score of 10.0, highlighting its seriousness.
The issue was reported on July 14, 2025, by security researcher Dirk-jan Mollema and was patched on July 17, 2025. Microsoft confirmed that no customer action is required and said there is no evidence of active exploitation in the wild.
The vulnerability originated from the interaction of two outdated components:
Service-to-Service (S2S) Actor Tokens issued by the Access Control Service (ACS)
The legacy Azure AD Graph API (graph.windows.net)
The Graph API failed to properly validate the tenant source of a token. This loophole meant attackers could reuse tokens across tenants, effectively impersonating users in other organizations.
Because these tokens followed Microsoft’s Conditional Access policies, attackers could use them to:
Access sensitive user information
Modify roles and permissions
View group and device details
Extract BitLocker recovery keys
Change tenant-wide security settings
Even worse, the legacy API had no detailed logging at the API level, meaning such attacks would have left no forensic traces.
If exploited, the flaw would have enabled attackers to impersonate Global Administrators, the most powerful role in Entra ID. With this access, a malicious actor could:
Create new accounts with elevated privileges
Escalate their permissions to gain total control
Access services like SharePoint Online and Exchange Online
Exfiltrate sensitive business data
Manage Azure resources such as virtual machines, storage, and databases
As researcher Mollema explained, “It would provide full access to any resource hosted in Azure, since Global Admins can assign rights to themselves on Azure subscriptions.”
Microsoft classified such attacks as High-Privileged Access (HPA) — situations where a service or application gains broad rights to customer data without proving proper user context.
The Azure AD Graph API, at the core of this flaw, is being deprecated and retired on August 31, 2025. Microsoft has urged organizations to migrate to the modern Microsoft Graph API.
Applications still relying on Azure AD Graph will stop working by September 2025, making migration a priority for businesses.
Cloud security company Mitiga highlighted how dangerous this flaw was. According to researcher Roei Sherman, attackers could bypass multi-factor authentication (MFA), Conditional Access, and logging mechanisms.
“The vulnerability arose because the legacy API failed to validate the tenant source of the token,” Sherman said. “An attacker could generate tokens from their own test environment and use them to impersonate Global Admins in any organization.”
This means attackers did not need pre-existing access to the target company, significantly raising the risk factor.
This discovery is part of a larger trend of cloud-related flaws affecting Microsoft services in 2025. Recently, researchers have revealed:
-
Exchange Server flaw (CVE-2025-53786): Allowed privilege escalation in on-premise deployments.
-
Intune certificate misconfigurations: Enabled attackers to perform ESC1 attacks on Active Directory environments.
-
Azure APIM cross-tenant attack: Disclosed by Binary Security, showing how API Manager instances could be abused to compromise SaaS connectors such as Key Vaults, SQL Databases, Jira, and Salesforce.
-
Entra ID OAuth misconfiguration: Exposed Microsoft’s Engineering Hub Rescue platform, affecting 22 internal services.
-
OneDrive Known Folder Move (KFM) attack: Let attackers gain access to SharePoint apps and files via synced accounts.
-
Leaked Azure AD credentials in appsettings.json: Could have allowed unauthorized app deployments and privilege escalation.
-
Phishing campaigns using rogue OAuth apps: Tricked users into granting attackers access to AWS credentials.
-
Server-Side Request Forgery (SSRF) exploits in AWS: Abused EC2 metadata services for cloud compromise.
-
AWS Trusted Advisor flaw: Allowed attackers to bypass S3 bucket exposure checks.
-
AWSDoor technique: Modified IAM configurations to persist in AWS environments without detection.
Security experts warn that misconfigurations are as dangerous as zero-day vulnerabilities. Attackers can persist in cloud environments without deploying traditional malware.
According to RiskInsight researchers, attackers often rely on:
-
AccessKey injection
-
Trust policy backdooring
-
“NotAction” policies for silent privilege control
-
Abuse of AWS resources like Lambda functions and EC2 instances
-
Disabling CloudTrail logs to erase evidence
These tactics allow adversaries to maintain long-term access, exfiltrate sensitive data, or even cause large-scale disruptions.
The CVE-2025-55241 Entra ID flaw shows how outdated cloud components can open doors to catastrophic attacks. While Microsoft acted quickly to patch the vulnerability, it highlights the risks organizations face when using legacy APIs and misconfigured cloud environments.
Businesses must prioritize:
-
Migrating to Microsoft Graph API before September 2025
-
Implementing strong monitoring beyond standard logs
-
Regular audits of cloud configurations
-
Zero Trust principles for authentication and access
As cloud adoption grows, attackers are becoming more innovative. Organizations that fail to modernize and secure their environments risk exposing their most sensitive assets to silent and devastating breaches.
Interesting Article : ChatGPT ShadowLeak Flaw: Gmail Data Theft Through Hidden Prompt Injection
Pingback: SolarWinds Patches Critical CVE-2025-26399 Remote Code Execution Flaw