A critical vulnerability in Microsoft’s Entra ID (formerly Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across all tenants. This flaw, designated as CVE-2025-55241, has a maximum CVSS score of 10.0 and represents a significant privilege escalation risk. Microsoft addressed this issue on July 17, 2025, after receiving a report from security researcher Dirk-jan Mollema on July 14.
The vulnerability highlights a failure in token validation, allowing unauthorized access through service-to-service (S2S) actor tokens linked to a legacy Azure AD Graph API that inadequately verified the originating tenant. This allowed the tokens to be misused for cross-tenant access, potentially compromising every Entra ID tenant globally, apart from some national cloud deployments.
An attacker utilizing this flaw could manipulate Microsoft’s Conditional Access policies to carry out unauthorized actions, such as accessing user data, changing group and role settings, or exfiltrating sensitive information stored in the Entra ID. Specifically, impersonating a Global Administrator could grant an attacker the ability to alter permissions, create new accounts, or extract sensitive data, ultimately leading to a complete compromise of the tenant.
Notably, since the tokens from the problematic Graph API are subject to Conditional Access, an attacker could bypass standard security measures like multi-factor authentication (MFA) without leaving any trace due to insufficient API-level logging. Mollema indicated that accessing resources like SharePoint Online and Exchange Online through an impersonated admin would be trivial, as Global Admins have the authority to grant permissions across Azure subscriptions.
Furthermore, the Azure AD Graph API has been deprecated and users are encouraged to migrate to Microsoft Graph. This deprecation aims to eliminate vulnerable points such as the one exploited in this incident, as Microsoft prepares to phase out support for legacy APIs.
In addition to this vulnerability, recent findings have spotlighted other critical security threats associated with Microsoft products. These include issues with OneDrive for Business, unauthorized access through OAuth misconfigurations, and potential data leaks due to misconfigured Azure AD application credentials.
With these developments underscoring long-standing issues within cloud security, experts urge organizations to closely monitor their configurations and access controls to mitigate risks associated with such vulnerabilities. They stress that lack of appropriate validation and logging can complicate the detection and response to security breaches, emphasizing the need for robust cloud security practices.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.