CVE-2025-55241

Name of the Vulnerable Software and Affected Versions Microsoft Entra ID (formerly Azure Active Directory) (affected versions not specified)

Description A critical vulnerability (CVE-2025-55241) exists in Microsoft Entra ID, allowing attackers to impersonate any user, including Global Administrators, across any tenant. This is due to a flaw in the Azure AD Graph API that improperly validates originating tenants when using undocumented “Actor tokens” intended for internal service-to-service communication. These tokens, lacking security policies like Conditional Access, allowed attackers to gain complete access to a tenant with minimal logging, making detection difficult. The vulnerability could potentially compromise every Entra ID tenant globally. The issue was discovered by Dirk-jan Mollema and has been patched by Microsoft. The vulnerability has a CVSS score of 10.0, indicating maximum severity. There have been no reported exploits of this vulnerability in the wild.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.