CVE-2025-55241

Name of the Vulnerable Software and Affected Versions Microsoft Entra ID (affected versions not specified)

Description A critical flaw in the authentication procedure of Microsoft Entra ID (formerly Azure Active Directory) allowed remote attackers to elevate privileges and impersonate any user, including Global Administrators, across all tenants globally. The issue stemmed from a combination of undocumented "Actor tokens"—internal tokens used for service-to-service communication—and a validation error in the legacy Azure AD Graph API. Specifically, the API failed to perform proper boundary checks on the originating tenant, allowing a token from one tenant to be used to access others. Because these tokens were unsigned and bypassed security policies like Conditional Access, exploitation could occur without triggering alarms or leaving actionable logs. This could lead to full infrastructure control, including the ability to read user profiles, extract BitLocker recovery keys, and create new Global Administrator accounts.

Recommendations Audit all Global Administrator accounts created during the vulnerability period. Rotate all critical keys and certificates. Analyze access logs for suspicious activity. As a temporary mitigation, restrict access to the legacy Azure AD Graph API to minimize the risk of exploitation.