Microsoft has issued a patch for a severe vulnerability in Entra ID.

Microsoft has issued a patch for a severe vulnerability in Entra ID.

Microsoft has patched a critical vulnerability (CVE-2025-55241, CVSS 10.0) in Entra ID (formerly Azure Active Directory) that could have enabled attackers to impersonate any user—including Global Administrators—across all tenants worldwide.

🔍 What happened?

• Reported July 14, 2025, by researcher Dirk-jan Mollema
• Root cause:
  • Service-to-service actor tokens issued by Access Control Service (ACS)
  • Legacy Azure AD Graph API failed to validate the originating tenant
• Exploitation could allow:
  • Cross-tenant access without leaving logs
  • Exfiltration of user info, roles, tenant settings, device info, BitLocker keys
  • Impersonation of Global Admins → create accounts, escalate privileges, compromise Azure resources

📌 Why it matters

• Attackers could bypass MFA, Conditional Access, and monitoring
• Would enable stealth access to sensitive corporate and cloud assets
• Impact: full tenant compromise, spanning SharePoint, Exchange, Azure subscriptions

✅ Status

• Patched July 17, 2025, no customer action required
• Legacy Azure AD Graph API fully retired Aug 31, 2025
• Customers urged to migrate to Microsoft Graph

💡 Takeaway
This flaw underscores the risks of legacy APIs and cloud misconfigurations. Even with advanced defenses, weaknesses in token validation and cross-tenant access can leave enterprises vulnerable to silent, full-scale compromises.

At Alcaeus Services, we help organizations audit cloud identity, enforce strong conditional access, and detect stealth privilege escalation attempts across Microsoft and multi-cloud environments.