entra ID Vulnerability: Critical Access Risk
Table of Contents
A significant security flaw in Microsoft Entra ID (formerly Azure AD) allowed potential unrestricted access to any client without detection. Researcher Dirk-Jan Mollema discovered the vulnerability,stemming from “actor tokens” used for internal service communication.microsoft addressed the issue (CVE-2025-55241) swiftly.
Undocumented Tokens & Exploitation
The core issue: non-documented tokens bypassed standard security checks via the outdated Azure AD Graph API. Attackers possessing a valid token from any tenant could impersonate users-even global admins-in other tenants. These tokens, valid for 24 hours, couldn’t be revoked and left no audit trail.
Exploitation required only a public tenant ID and a user’s Netid-details obtainable through brute force or public tokens.Existing guest links (B2B Trusts) could facilitate escalation across multiple tenants.
Expert context
The incident highlights potential risks inherent in complex cloud authentication systems. The use of undocumented tokens, while intended to streamline internal processes, created a significant security gap when combined with outdated API functionality. The lack of logging and revocation capabilities further exacerbated the problem, making detection and remediation challenging. This situation underscores the importance of robust security testing and continuous monitoring of internal authentication mechanisms.
Remediation & Ongoing Concerns
Microsoft secured the Azure AD Graph API and announced further measures to contain the outdated token mechanisms. The incident raises essential questions about transparency and traceability within cloud environments.
Timeline of Events
- Discovery: Researcher Dirk-Jan Mollema identifies the vulnerability.
- Notification: Microsoft is informed of the issue.
- Resolution: Microsoft addresses the vulnerability (CVE-2025-55241).
Entra ID Vulnerability Exposed Critical Access Risk
A serious security hole in Microsoft Entra ID, found by researcher Dirk-Jan Mollema, could have let attackers access almost any client without being noticed.
Q: What was the main problem with the Entra ID vulnerability?
A: The vulnerability allowed for potential unrestricted access to any client without detection, stemming from “actor tokens” used for internal service communication.
Q: Who discovered this Entra ID flaw?
A: Researcher Dirk-Jan Mollema discovered the vulnerability.
Q: What is the CVE number for this Entra ID vulnerability?
A: The vulnerability is addressed as CVE-2025-55241.
Q: How could attackers exploit this Entra ID vulnerability?
A: They could use valid tokens from any tenant to impersonate users, including global admins, in other tenants.
Q: How long were these exploitable tokens valid?
A: These tokens were valid for 24 hours.
Q: Could Microsoft revoke these problematic tokens?
A: No, these tokens could not be revoked once issued.
Q: Would an attack leave any record in the target system?
A: No, compromising activity was not logged in the target client, hindering detection.
Q: What type of access could attackers possibly gain?
A: Attackers could possibly gain global admin access to any Entra ID tenant.
Q: What information was needed to exploit this Entra ID issue?
A: Exploitation required only a public tenant ID and a user’s Netid.
Q: Did Microsoft fix this Entra ID vulnerability?
A: Yes, Microsoft addressed the issue and secured the Azure AD Graph API.
Q: What made detecting this vulnerability difficult?
A: The lack of logging and revocation capabilities made detection and remediation challenging.
Q: What systems were involved in this Entra ID security issue?
A: The issue involved internal “actor tokens” and the outdated Azure AD Graph API.
