Entra ID vulnerability: Attackers could have taken over all tenants globally
Due to a vulnerability in Entra ID, attackers could have gained access to any tenants as administrators. The security issue has been resolved for some time.
(Image: RaiDztor/Shutterstock.com)
Microsoft's identity and access management service Entra ID was broken. Attackers could have exploited a "critical" security vulnerability with relatively little effort. This affected all Entra ID tenants globally. Microsoft closed the vulnerability in July of this year. Now, a security researcher is explaining the background to the vulnerability.
Successful exploitation of the vulnerability allowed admin access to any tenant. Because large companies around the world use Entra ID, among others, attacks could have had far-reaching consequences.
Background information
In a detailed article, a security researcher from Outsidersecurity explains the security problem. He states that he discovered the "critical" vulnerability (CVE-2025-55241) with the highest rating (CVSS score 10 out of 10) in July of this year and immediately reported it to Microsoft. He writes that Microsoft closed the vulnerability within a few days. Entra ID tenants did not have to do anything. The issue was apparently solved on the server side.
To exploit the vulnerability, attackers had to know a user's tenant ID and NetID. However, according to the researcher, both can be found out with relatively little effort. The critical classification of the vulnerability also supports the view that this cannot be such a big hurdle.
Combined attack
According to the security researcher, an attack is based on two fundamentals: The first starting point is an undocumented token for identity verification called "Actor Token." Microsoft uses this in its backend for service-to-service communication.
The second component is the actual vulnerability in the Azure AD Graph API (Legacy), which does not sufficiently verify such tokens. As a result, attackers equipped with this token could have posed as administrators for any tenant. The security researcher explains that, due to their nature, these tokens slip past all security policies, meaning there was no countermeasure.
After successful attacks, attackers would have had full access to Entra ID tenants. Among other things, they could have viewed personal information and BitLocker keys and gained full control over services such as SharePoint Online. To make matters worse, an attacker with an actor token leaves no traces in logs.
Videos by heise
Microsoft states that it is not aware of any such attacks. The security researcher provides further technical background information in his report. Microsoft lists further details in a warning message.
(des)
