[German]A brief update from this week: On September 17, 2025, details of the CVE-2025-55241 vulnerability in Microsoft Entra ID were made public. This vulnerability would have allowed any attacker to obtain tokens enabling them to assume the global administrator role for any tenant.
Entra ID vulnerability CVE-2025-55241
Entra ID is the identity and access management service that Microsoft uses for Azure or Microsoft 365. On September 4, 2025, Microsoft published a post about the CVE-2025-55241 vulnerability in Microsoft Entra ID. It is a privilege escalation vulnerability in Azure Entra. There weren't really many details, only that users don't have to perform any actions and there would be no exploitation. The vulnerability was already closed in July 2025. Azure Entra users should be a little uneasy about the CVSS 3.1 score of 10.0.
Entra ID enables tenant takeover
The seriousness of the whole situation only became public on September 17, 2025, when the discoverer of the vulnerability, Dirk-jan Mollema, made it public in a blog post One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens öffentlich machte.
Tomas Jakobs and other German blog readers pointed out the issue in my German blog's discussion section (thanks for that). Here is a summary of what was discovered: While preparing for presentations at Black Hat and DEF CON in July 2025, Dirk-jan Mollema stumbled upon the most significant Entra ID security vulnerability imaginable.
He was able to compromise every publicly accessible Entra ID tenant worldwide via a vulnerability and take complete control of it as a global administrator. The vulnerability consisted of two components:
- Undocumented identity tokens, known as "actor tokens," which Microsoft uses in its backend for service-to-service (S2S) communication.
- In addition, there was a critical bug in the (old) Azure AD Graph API that did not properly validate the original tenants, allowing these tokens to be used for cross-tenant access.
This allowed Dirk-jan Mollema to request an access token in his lab tenant that he could use to authenticate as any user on any other tenant (even as a global admin). Due to the nature of these actor tokens, they are not subject to security policies such as conditional access. This means that there was no setting that could have mitigated this for certain hardened tenants.
Even more explosive: the request for actor tokens leaves no traces in logs. But even if an entry had been created in the log, the request for the access token would have been logged in the attacker's tenant and not in the tenant of the compromised victim. This means that there were no records of the existence of these tokens.
With these compromised identities, access could also have been extended to Microsoft 365 and Azure. Details can be found in the discoverer's article (English) or the heise article (German). The discoverer reported this vulnerability, CVE-2025-55241, to the Microsoft Security Response Center (MSRC) on the same day. Microsoft closed this vulnerability within a few days of it being reported. In addition, further remedial measures were introduced to prevent applications from requesting these actor tokens for the Azure AD Graph API.
Security by Redmond – full of holes like Swiss cheese?
Yes, the vulnerability was fixed within days and no longer exists. But just let that thought sink in for a moment: someone could request an access token and use it to wreak havoc across all tenants worldwide, then take over as global administrator. To put it bluntly, Microsoft Entra ID is simply broken.
Well, German blog readers told it not a vulnerability, they addressed it as a backdoor for secret service. This brings to mind the episodes involving Chinese hackers (Storm-0558) in Microsoft's cloud (see China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud), and Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023; emails have been spied on since November 2023. Although the cases were different, attackers also had free rein over the tenants of interest.
Furthermore, a blog reader had referred in the comments to my blog post Exchange Online and MS365 problems due to vulnerability? (March 2025), where I described a crude situation that happened to a poor tenant administrator. He had ChatGPT create a script, which, when executed, sent other tenants "into digital oblivion" and had to be stopped by Microsoft. The report was dismissed as "pure fantasy," but with the above findings, the question remains: "What else is coming, and what else is lurking undiscovered in Entra ID?"
In response to the incidents I mentioned in the list of links at the end of the article, some politicians sounded the alarm and Microsoft promised improvements – including the Secure Future Initiative. But one can't help but tremble at the thought of when the next blunder will come to light. This ties in with the topic addressed by our colleagues at Bleeping Computer in their recent article U.S. Senator accuses Microsoft of "gross cybersecurity negligence".
Similar articles:
Microsoft 365/Exchange Online outage from March 1st, 2025 still continues on 3/3/2025?
Outlook also disrupted on March 6, 2025
Vulnerability cause of Exchange Online and MS 365 problems since March 1, 2025?
Exchange Online and MS365 problems due to vulnerability? (March 2025)
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack
Sharepoint servers are attacked via 0-day vulnerability (CVE-2025-53770)
Microsoft investigates whether SharePoint 0-day was leaked to hackers in advance
Insane: Microsoft let Chinese software engineers maintain the cloud of US Department of Defense
Microsoft says it's ending U.S. Defense Department cloud maintenance by Chinese software engineers
New insights on SharePoint Gate: Microsoft uses employees from China for maintenance
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
New insights on SharePoint Gate: Microsoft uses employees from China for maintenance
Microsoft restricts China's early access via MAPPS to vulnerabilities
