{"id":4977,"date":"2025-09-19T11:51:19","date_gmt":"2025-09-19T11:51:19","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4977"},"modified":"2025-09-19T11:51:19","modified_gmt":"2025-09-19T11:51:19","slug":"entra-id-vulnerability-exposes-gaps-in-cloud-identity-trust-models-experts-warn","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4977","title":{"rendered":"Entra ID vulnerability exposes gaps in cloud identity trust models, experts warn"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers are warning about a max-severity vulnerability in Microsoft Entra ID (formerly Azure Active Directory) that could potentially allow attackers to impersonate any user in any tenant, including Global Administrators, without triggering MFA, conditional Access, or leaving any normal login or audit trail.<\/p>\n

The flaw, first reported by red-teamer Dirk-jan Mollema, exploited \u201cActor tokens,\u201d a hidden Microsoft mechanism normally used for internal delegation, by manipulating a legacy API that failed to validate the originating tenant.<\/p>\n

According to Mitiga\u2019s further breakdown of the exploit, an attacker in a benign environment could request an Actor token, then use it to pose as a privileged user in a completely separate organization.<\/p>\n

\u201cThe vulnerability arose because the legacy API failed to validate the tenant source of the Actor token,\u201d Mitiga researchers said in a blog post<\/a>. \u201cOnce impersonating a Global Admin, they could create new accounts, grant themselves permissions, or exfiltrate sensitive data.\u201d<\/p>\n

The bug, tracked as CVE-2025-55241<\/a>, was reported to Microsoft in July, who confirmed a few days later that a fix had been developed and pushed to global production.<\/p>\n

<\/a>One token to rule them all<\/h2>\n

At the heart of the problem is a combination of the Actor token mechanism and a misconfigured API. Actor tokens are internal tools enabling services to act on behalf of users or other services within Microsoft\u2019s infrastructure.<\/p>\n

What Mollema discovered is that an API, Azure AD Graph API, did not check the tenant of an Actor token, meaning one could craft a token in their own test or low-privilege tenant and use it to impersonate an admin user in another unrelated tenant. Azure AD Graph is a legacy REST API that Microsoft introduced years ago for interacting programmatically with Azure Active Directory (Now Entra ID).<\/p>\n

According to Mitiga, an Actor Token could be crafted using Tenant ID and netID values of target users, which can be accessed through guest accounts, leaked logs, or even brute force. The crafted (requested) Actor token, which Azure AD Graph does not scrutinize for source, could now be used to impersonate a Global administrator.<\/p>\n

\u201cThis would result in full tenant compromise with access to any service that uses Entra ID for authentication, such as SharePoint<\/a> Online and Exchange Online,\u201d Mollema had revealed in a blog post last week. \u201cIt would also provide full access to any resource hosted in Azure, since these resources are controlled from the tenant level and Global Admins can grant themselves rights on Azure subscriptions.\u201d<\/p>\n

Adding to the threat is the fact that requesting Actor tokens does not generate logs, resulting in no log entries, no Conditional Access <\/a>enforcement, and no MFA<\/a> prompts.<\/p>\n

Patching is done, yet the risk lingers<\/h2>\n

While CVE-2025-55241 initially carried a maximum base severity score of 10.0 out of 10, Microsoft later revised its advisory<\/a> on September 4 to rate the flaw at 8.7, reflecting its own exploitability assessment.<\/p>\n

Microsoft rolled out a fix globally within days of the initial report, adding that its internal telemetry did not reveal any evidence of exploitation until that time. The patch blocked Actor tokens from being requested for Azure AD Graph API calls and introduced further mitigations to close off the impersonation vector.<\/p>\n

Additionally, the technology giant published a blog<\/a> about removing insecure legacy practices from their environment, though Mollema complained<\/a> that there weren\u2019t any details on how many services still use these tokens. \u201cThis vulnerability has already been fully mitigated by Microsoft,\u201d Microsoft said in the advisory. \u201cThere is no action for users of this service to take.\u201d<\/p>\n

\u201cWe mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative (SFI),\u201d said Tom Gallagher, VP of Engineering at Microsoft Security Response Center (MSRC). \u201cWe implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem. We found no evidence of abuse of this vulnerability, and to maintain transparency, we issued a no-action CVE-2025-55241.\u201d <\/p>\n

Mitiga team stresses that the problem highlights a broader category of risks\u2013hidden trust deep in cloud identity systems. \u201cMicrosoft has patched it, but the lack of historical visibility means defenders still can\u2019t be sure whether it was used in the past,\u201d the team added. \u201cThat uncertainty is the point: attackers keep looking for invisible pathways. Defenders need visibility everywhere \u2013 before, during, and after exploitation.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers are warning about a max-severity vulnerability in Microsoft Entra ID (formerly Azure Active Directory) that could potentially allow attackers to impersonate any user in any tenant, including Global Administrators, without triggering MFA, conditional Access, or leaving any normal login or audit trail. The flaw, first reported by red-teamer Dirk-jan Mollema, exploited \u201cActor tokens,\u201d […]<\/p>\n","protected":false},"author":0,"featured_media":4948,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4977","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4977"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4977"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4977\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4948"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}