CVE-2025-55241

Name of the Vulnerable Software and Affected Versions Microsoft Entra ID (formerly Azure Active Directory) (affected versions not specified)

Description A critical flaw in Microsoft Entra ID, stemming from undocumented “Actor tokens” and a vulnerability in the Azure AD Graph API, could have allowed attackers to impersonate any user, including Global Administrators, across any tenant. This vulnerability, tracked as CVE-2025-55241, had a CVSS score of 10.0 and allowed for cross-tenant access without triggering security alerts. The issue arose from a lack of proper tenant validation, enabling attackers with a token from one tenant to gain control over others. The vulnerability was patched in July 2025, and there have been no reported exploits as of September 2025. The flaw highlights the risks associated with legacy APIs and centralized identity management systems.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.