- Actor tokens allowed cross-tenant impersonation with out logging or safety checks
- CVE-2025-55241 enabled International Admin entry through deprecated Azure AD Graph API
- Microsoft patched the flaw in September 2025; actor tokens and Graph API are being phased out
Safety researchers have discovered a vital vulnerability in Microsoft Entra ID which may have allowed risk actors to achieve International Administrator entry to nearly anybody’s tenant – with out being detected in any approach.
The vulnerability consists of two issues – a legacy service known as “actor tokens”, and a vital Elevation of Privilege bug tracked as CVE-2025-55241.
Actor tokens are undocumented, unsigned authentication tokens utilized in Microsoft providers to impersonate customers throughout tenants. They’re issued by a legacy system known as Entry Management Service (ACS) and have been initially designed for service-to-service (S2S) authentication.
Deprecating and phasing out
Based on safety researcher Dirk-jan Mollema who found the flaw, these tokens bypass commonplace safety controls, lack logging, and stay legitimate for twenty-four hours, which makes them exploitable for unauthorized entry with out detection.
Mollema demonstrated that by crafting impersonation tokens utilizing public tenant IDs and consumer identifiers, he may entry delicate knowledge and carry out administrative actions in different organizations’ environments.
These actions included creating customers, resetting passwords, and modifying configurations – all with out producing logs within the sufferer tenant.
“I examined this in just a few extra take a look at tenants I had entry to, to ensure I used to be not loopy, however I may certainly entry knowledge in different tenants, so long as I knew their tenant ID (which is public data) and the netId of a consumer in that tenant,” Mollema defined.
Because it seems, Azure AD Graph API, a deprecated system that’s slowly being phased out, was accepting the tokens from one tenant and making use of them to a different, bypassing conditional entry insurance policies and commonplace authentication checks.
Mollema reported the problem on Microsoft, which acknowledged it in mid-July 2025, and patched inside two weeks. CVE-2025-55241 was given a severity rating of 10/10 (vital), and was formally addressed on September 4.
Azure AD Graph API is being deprecated, whereas the tokens, which Microsoft refers to as “high-privileged entry” mechanisms used internally, are being phased out.
By way of BleepingComputer
