Article illustration 1

Imagine an attacker silently gaining full control over your organization's identity management system—able to reset passwords, create admins, or access sensitive data, all without leaving a trace. This near-catastrophic scenario was possible due to a critical flaw in Microsoft Entra ID (formerly Azure Active Directory), uncovered by security researcher Dirk-jan Mollema. The vulnerability, now patched, exploited a dangerous cocktail of legacy components: unsigned "actor tokens" and a privilege escalation bug in the deprecated Azure AD Graph API (CVE-2025-55241).

The Anatomy of the Flaw

Entra ID is Microsoft's cloud-based identity backbone, managing access for services like Microsoft 365, Salesforce, and custom apps. Mollema discovered that actor tokens—undocumented relics from the legacy Access Control Service—could be manipulated to impersonate any user. These tokens lack critical safeguards:
- No signatures, allowing arbitrary user impersonation.
- 24-hour validity with no revocation mechanism.
- Bypass Conditional Access policies and audit logs.

As Mollema detailed in his technical analysis, the exploit chain began when he altered a token's tenant ID and sent it to the Azure AD Graph API. Instead of rejecting it, the API validated the token but denied access due to a missing user—revealing that the token itself was accepted. By inserting a valid user ID from a target tenant (identifiable via public APIs), he gained unauthorized access:

"I could indeed access data in other tenants, as long as I knew their tenant ID and the netId of a user. I then impersonated Global Admins to perform any action—no logs were generated until the final step." — Dirk-jan Mollema, Founder of Outsider Security

Silent and Devastating Impact

An attacker could hijack any tenant in four steps:
1. Generate an actor token from a controlled tenant.
2. Use public APIs to find the target tenant ID and a user's netId.
3. Craft an impersonation token for that user.
4. Escalate to Global Admin and execute malicious actions.

Only the last step logged activity in the victim tenant, making detection nearly impossible. This flaw threatened every Entra ID customer, as actor tokens were used internally by Microsoft for service-to-service communication—highlighting the risks of deprecated infrastructure.

Microsoft's Response and Broader Lessons

Microsoft patched CVE-2025-55241 on September 4, 2025, after Mollema's July disclosure. The Azure AD Graph API was already slated for deprecation, with usage restrictions announced in June. While resolved, this episode underscores a harsh truth: legacy systems often harbor hidden vulnerabilities that can cascade into systemic risks. For developers and security teams, it reinforces the urgency of auditing authentication flows, phasing out old APIs, and demanding robust logging for all token-based operations. In an era where identity is the new perimeter, overlooking such seams in the cloud fabric invites disaster.

Source: BleepingComputer