Redazione RHC : 19 September 2025 15:47
Microsoft has closed a critical bug that could have severely compromised its cloud environments: Dutch researcher Dirk-Jan Mollema discovered two interconnected flaws in the Entra ID (formerly Azure Active Directory) identity management service that, when combined, could have allowed an attacker to obtain global administrator rights and effectively take control of any Azure tenant.
The first issue involved a little-known mechanism for issuing internal tokens, so-called Actor Tokens, used for authentication. The second involved a legacy Azure AD Graph interface that incorrectly verified the tenant a request was coming from, causing it to accept tokens from other users.
The combination of these limitations allowed a test or trial account to request tokens, grant itself another user’s privileges, and create an administrator with unlimited rights in another tenant, with the ability to edit settings, add users, and manage subscriptions and Login ID applications. The vulnerability has been identified as CVE-2025-55241.
Mollema reported the discovery to the Microsoft Security Response Center on July 14. The company promptly launched an investigation, implemented a fix within days and confirmed a full mitigation by July 23, with additional measures in August.
In official comments, Microsoft representatives cited changes to token validation logic and accelerated work to decommission legacy protocols as part of the Secure Future Initiative. An internal review found no evidence of exploitation of the vulnerability.
Experts emphasize that flaws in identity providers are among the most dangerous: they can bypass conditional access mechanisms, logs, and multi-factor authentication, opening access to all services linked to the Entra ID: Azure, Exchange, SharePoint, and others. A prime example is the 2023 Storm-0558 incident, when a compromised key allowed attackers to generate tokens and access cloud mail systems.
Unlike previous incidents, this combination of flaws only required manipulation of internal token types and a legacy API, making the attack easier to execute under certain conditions.
Mollema and Microsoft emphasize the importance of rapidly decommissioning legacy components and continuously auditing internal token issuance mechanisms. The cloud identity ecosystem remains a center of trust for a vast number of organizations, and a breach in its foundation poses the risk of widespread impact, from data compromise to a complete takeover of managed services.
Redazione