This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now
By Sead Fadilpašić
Copyright techradar
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Close main menu
the business technology experts
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
View Profile
Search TechRadar
Expert Insights
Website builders
Web hosting
Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights
Don’t miss these
Microsoft Entra ID vulnerability allows full account takeover – and takes barely any effort
Microsoft urges users to be on alert following high-severity flaw in hybrid Exchange deployments
Thousands of Microsoft Exchange servers remain unpatched against major threat – here’s what to do to stay safe
Worrying ServiceNow security flaw could let hackers steal private table data
CitrixBleed 2 flaws are officially here – so get patching or leave your systems at risk
Microsoft’s latest major patch fixes a serious zero-day flaw, and a host of other issues – so update now
Mitel warns critical security flaw could let hackers completely bypass logins
Security experts flag another worrying issue with Anthropic AI systems – here’s what they found
Citrix patches a trio of high-severity security bugs, so be on your guard
CISA warns hackers are actively exploiting critical CitrixBleed 2
CitrixBleed 2 exploits are now in the wild, so patch now
Security flaws in key Nvidia enterprise tool could have let hackers run malware on Windows and Linux systems
Zoom patches worrying security Windows flaw – make sure you’re protected, update now
Top CMS Sitecore patches critical zero-day flaw being hit by hackers
SharePoint-ageddon attacks riddled with free Warlock ransomware – and thousands of services could be compromised
This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now
Sead Fadilpašić
22 September 2025
Researchers found a potent combination of critical flaws and legacy services
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Microsoft Entra ID)
Actor tokens allowed cross-tenant impersonation without logging or security checks
CVE-2025-55241 enabled Global Admin access via deprecated Azure AD Graph API
Microsoft patched the flaw in September 2025; actor tokens and Graph API are being phased out
Security researchers have found a critical vulnerability in Microsoft Entra ID which could have allowed threat actors to gain Global Administrator access to virtually anyone’s tenant – without being detected in any way.
The vulnerability consists of two things – a legacy service called “actor tokens”, and a critical Elevation of Privilege bug tracked as CVE-2025-55241.
Actor tokens are undocumented, unsigned authentication tokens used in Microsoft services to impersonate users across tenants. They are issued by a legacy system called Access Control Service (ACS) and were originally designed for service-to-service (S2S) authentication.
You may like
Microsoft Entra ID vulnerability allows full account takeover – and takes barely any effort
Microsoft urges users to be on alert following high-severity flaw in hybrid Exchange deployments
Thousands of Microsoft Exchange servers remain unpatched against major threat – here’s what to do to stay safe
Deprecating and phasing out
According to security researcher Dirk-jan Mollema who discovered the flaw, these tokens bypass standard security controls, lack logging, and remain valid for 24 hours, which makes them exploitable for unauthorized access without detection.
Mollema demonstrated that by crafting impersonation tokens using public tenant IDs and user identifiers, he could access sensitive data and perform administrative actions in other organizations’ environments.
These actions included creating users, resetting passwords, and modifying configurations – all without generating logs in the victim tenant.
“I tested this in a few more test tenants I had access to, to make sure I was not crazy, but I could indeed access data in other tenants, as long as I knew their tenant ID (which is public information) and the netId of a user in that tenant,” Mollema explained.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
As it turns out, Azure AD Graph API, a deprecated system that’s slowly being phased out, was accepting the tokens from one tenant and applying them to another, bypassing conditional access policies and standard authentication checks.
Mollema reported the issue on Microsoft, which acknowledged it in mid-July 2025, and patched within two weeks. CVE-2025-55241 was given a severity score of 10/10 (critical), and was officially addressed on September 4.
Azure AD Graph API is being deprecated, while the tokens, which Microsoft refers to as “high-privileged access” mechanisms used internally, are being phased out.
Via BleepingComputer
You might also like
Windows Entra IDs can be bypassed worryingly easily – here’s what we know
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers
Sead Fadilpašić
Social Links Navigation
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Microsoft Entra ID vulnerability allows full account takeover – and takes barely any effort
Microsoft urges users to be on alert following high-severity flaw in hybrid Exchange deployments
Thousands of Microsoft Exchange servers remain unpatched against major threat – here’s what to do to stay safe
Worrying ServiceNow security flaw could let hackers steal private table data
CitrixBleed 2 flaws are officially here – so get patching or leave your systems at risk
Microsoft’s latest major patch fixes a serious zero-day flaw, and a host of other issues – so update now
Latest in Security
EU says ransomware to blame for attack which caused chaos at airports
VPS servers hijacked into malware proxies – here’s how to stay safe
Two teenagers charged over cyber hack on Transport for London
WatchGuard warns users Firebox firewalls may have a critical issue – here’s what we know
UK’s MI6 opens dark web portal Silent Courier to recruit Russian spies
New Gold Salem ransomware could be the most worrying new strain we’ve seen for a while
Latest in News
‘They want to take the magic away’: Apple says EU is killing innovation and creating a worse experience for tech fans – here’s why
LinkedIn set to start to train its AI on member profiles
This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now
Yet another Xbox price hike in the US makes Microsoft’s consoles even harder to recommend
New Avengers: Doomsday leak reveals first look at the Marvel movie cast – and it’s all thanks to a production wrap gift
Sam Altman predicts AI will cause major job losses in these fields – will you be safe?
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future’s experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait…
