Close Menu
TechurzTechurz
    What's Hot

    AI law startup Norm raises $120M, hits unicorn valuation

    July 7, 2026

    This startup pits dealerships against each other to bid on your used car

    July 7, 2026

    Savi’s app aims to protect consumers from realistic AI scams like kidnappers demanding ransom

    July 7, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • AI law startup Norm raises $120M, hits unicorn valuation
    • This startup pits dealerships against each other to bid on your used car
    • Savi’s app aims to protect consumers from realistic AI scams like kidnappers demanding ransom
    • Station F ramps up as a launchpad for Europe’s hottest AI startups
    • Smart glasses maker Even Realities hits $1B valuation with $150M funding led by Meituan, Tencent
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants
    Cyber Reality

    Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants

    TechurzBy TechurzSeptember 22, 2025Updated:May 10, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants
    Share
    Facebook Twitter LinkedIn Pinterest Email


    A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant.

    The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There is no indication that the issue was exploited in the wild. It has been addressed by the Windows maker as of July 17, 2025, requiring no customer action.

    Security researcher Dirk-jan Mollema, who discovered and reported the shortcoming on July 14, said the shortcoming made it possible to compromise every Entra ID tenant in the world, with the likely exception of national cloud deployments.

    The problem stems from a combination of two components: the use of service-to-service (S2S) actor tokens issued by the Access Control Service (ACS) and a fatal flaw in the legacy Azure AD Graph API (graph.windows.net) that did not adequately validate the originating tenant, which effectively allowed the tokens to be used for cross-tenant access.

    What makes this noteworthy is that the tokens are subject to Microsoft’s Conditional Access policies, enabling a bad actor with access to the Graph API to make unauthorized modifications. To make matters worse, the lack of API level logging for the Graph API meant that it could be exploited to access user information stored in Entra ID, group and role details, tenant settings, application permissions, and device information and BitLocker keys synced to Entra ID without leaving any traces.

    An impersonation of the Global Administrator could allow an attacker to create new accounts, grant themselves additional permissions, or exfiltrate sensitive data, resulting in a full tenant compromise with access to any service that uses Entra ID for authentication, such as SharePoint Online and Exchange Online.

    “It would also provide full access to any resource hosted in Azure, since these resources are controlled from the tenant level and Global Admins can grant themselves rights on Azure subscriptions,” Mollema noted.

    Microsoft has characterized such instances of cross-tenant access as a case of “High-privileged access” (HPA) that “occurs when an application or service obtains broad access to customer content, allowing it to impersonate other users without providing any proof of user context.”

    It’s worth noting that the Azure AD Graph API has been officially deprecated and retired as of August 31, 2025, with the tech giant urging users to migrate their apps to Microsoft Graph. The initial announcement of the deprecation was made in 2019.

    “Applications that were configured for extended access that still depend on Azure AD Graph APIs will not be able to continue using these APIs starting in early September 2025,” Microsoft noted back in late June 2025.

    Cloud security company Mitiga said a successful exploitation of CVE-2025-55241 can bypass multi-factor authentication (MFA), Conditional Access, and logging, leaving no trail of the incident.

    “Attackers could craft these [actor] tokens in ways that tricked Entra ID into thinking they were anyone, anywhere,” Mitiga’s Roei Sherman said. “The vulnerability arose because the legacy API failed to validate the tenant source of the token.”

    “This meant that an attacker could obtain an Actor token from their own, non-privileged test environment and then use it to impersonate a Global Admin in any other company’s tenant. The attacker didn’t need any pre-existing access to the target organization.”

    Previously, Mollema also detailed a high-severity security flaw affecting on-premise versions of Exchange Server (CVE-2025-53786, CVSS score: 8.0) that could allow an attacker to gain elevated privileges under certain conditions. Another piece of research found that Intune certificate misconfigurations (such as spoofable identifiers) can be abused by regular users to perform an ESC1 attack targeting Active Directory environments.

    The development comes weeks after Binary Security’s Haakon Holm Gulbrandsrud disclosed that the shared API Manager (APIM) instance used to facilitate software-as-a-service (SaaS) connectors can be invoked directly from the Azure Resource Manager to achieve cross-tenant access.

    “API Connections allow anyone to fully compromise any other connection worldwide, giving full access to the connected backend,” Gulbrandsrud said. “This includes cross-tenant compromise of Key Vaults and Azure SQL databases, as well as any other externally connected service, such as Jira or Salesforce.”

    It also follows the discovery of several cloud-related flaws and attack methods in recent weeks –

    • An Entra ID OAuth misconfiguration that granted unauthorized access to Microsoft’s Engineering Hub Rescue even with a personal Microsoft account, exposing 22 internal services and associated data.
    • An attack that exploits Microsoft OneDrive for Business Known Folder Move (KFM) feature, allowing a bad actor who compromises a Microsoft 365 user with OneDrive sync to gain access to their apps and files synced to SharePoint Online.
    • The leak of Azure AD application credentials in a publicly accessible Application Settings (appsettings.json) file that could have been exploited to authenticate directly against Microsoft’s OAuth 2.0 endpoints, and exfiltrate sensitive data, deploy malicious apps, or escalate privileges.
    • A phishing attack containing a link to a rogue OAuth application registered in Microsoft Azure that tricked a user into granting it permissions to extract Amazon Web Services (AWS) access keys for a sandbox environment within the compromised mailbox, allowing unknown actors to enumerate AWS permissions and exploit a trust relationship between the sandbox and production environments to elevate privileges, gain complete control over the organization’s AWS infrastructure, and exfiltrate sensitive data.
    • An attack that involves exploiting Server-Side Request Forgery (SSRF) vulnerabilities in web applications to send requests to the AWS EC2 metadata service with the goal of accessing the Instance Metadata Service (IMDS) to compromise cloud resources by retrieving temporary security credentials assigned to the instance’s IAM role.
    • A now-patched issue in AWS’s Trusted Advisor tool that could be exploited to sidestep S3 Security Checks by tweaking certain storage bucket policies, causing the tool to incorrectly report publicly-exposed S3 buckets as secure, thereby leaving sensitive data exposed to data exfiltration and data breaches.
    • A technique code AWSDoor that modifies IAM configurations related to AWS role and trust policies to set up persistence on AWS environments.

    The findings show that even all-too-common misconfigurations in cloud environments can have disastrous consequences for the organizations involved, leading to data theft and other follow-on attacks.

    “Techniques such as AccessKey injection, trust policy backdooring, and the use of NotAction policies allow attackers to persist without deploying malware or triggering alarms,” RiskInsight researchers Yoann Dequeker and Arnaud Petitcol said in a report published last week.

    “Beyond IAM, attackers can leverage AWS resources themselves – such as Lambda functions and EC2 instances – to maintain access. Disabling CloudTrail, modifying event selectors, deploying lifecycle policies for silent S3 deletion, or detaching accounts from AWS Organizations are all techniques that reduce oversight and enable long-term compromise or destruction.”

    Admin Critical Enabling Entra flaw global Impersonation Microsoft patches Tenants
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleThe Marketing Formula That’s Fueling Small Business Success
    Next Article Slow Android phone? Changing these 4 settings revitalized my whole system
    Techurz
    • Website

    Related Posts

    Opinion

    Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office

    July 2, 2026
    Opinion

    Anthropic’s latest feud with the Trump admin may actually help it, sales data suggests

    June 16, 2026
    Opinion

    Microsoft taps Alt Carbon in sign of India’s growing role in carbon removal

    June 11, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    12 Father’s Day E-Card Sites That Are Actually Good

    June 4, 202523

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.