December 5, 2025

Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants Patched by Microsoft

daksh kataria September 22, 2025 0
Image Shows entra id flow
Post Views: 309

Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants Patched by Microsoft

“Microsoft has patched a vulnerable flaw allowing global admin impersonation across tenants.”

Attackers would have been able to assume the identity of any user, including Global Administrators, across any tenant due to a significant token validation error in Microsoft Entra ID (formerly Azure Active Directory).

 

The maximum CVSS score of 10.0 has been assigned to the vulnerability, which is recorded as CVE-2025-55241. Microsoft has referred to it as an Azure Entra privilege escalation vulnerability. No evidence suggests that the problem was used in the wild.

 

As of July 17, 2025, the Windows manufacturer has fixed it; thus, no client action is necessary.

Dirk-Jan Mollema, Security Researcher

According to security researcher Dirk-Jan Mollema, who found and disclosed the vulnerability on July 14, it allowed for the compromise of all Entra ID tenants worldwide, most likely with the exception of national cloud deployments.

 

Since Azure resources are managed at the tenant level and Global Admins have the ability to grant themselves permissions on Azure subscriptions, “it would also provide unfettered access to every resource housed in Azure.”

 

The use of service-to-service (S2S) actor tokens issued by the Access Control Service (ACS) and a fatal flaw in the legacy Azure AD Graph API (graph.windows.net) that failed to sufficiently validate the originating tenant, thereby permitting the tokens to be used for cross-tenant access, are the two main causes of the issue.

 

This is significant because a bad actor with access to the Graph API could alter the tokens without authorization because they are subject to Microsoft’s Conditional Access restrictions.

 

To exacerbate the situation, the Graph API’s lack of API level logging made it possible to access tenant settings, application permissions, group and role details, device information, BitLocker keys synced to Entra ID, and user data stored in Entra ID without leaving any evidence.

 

 

 

A full tenant compromise could result from an attacker impersonating the Global Administrator and gaining access to any service that uses Entra ID for authentication, including SharePoint Online and Exchange Online, by creating new accounts, granting themselves additional permissions, or exfiltrating sensitive data.

 

Cross-tenant access is a type of “High-privileged access” (HPA), according to Microsoft, which “occurs when an application or service obtains broad access to customer content, allowing it to impersonate other users without providing any proof of user context.”

 

Notably, the tech giant is advising users to switch their apps to Microsoft Graph as the Azure AD Graph API is officially deprecated and removed as of August 31, 2025. 2019 saw the first announcement of the deprecation.

Microsoft

“Applications that were configured for extended access that still depend on Azure AD Graph APIs will not be able to continue using these APIs starting in early September 2025,” Microsoft announced in the latter part of June 2025.

Mitiga, Cloud Security Company

A successful exploitation of CVE-2025-55241, according to cloud security firm Mitiga, can get beyond Conditional Access, multi-factor authentication (MFA), and logging, leaving no trace of the occurrence.

Roei Sherman, Mitiga

“These [actor] tokens might have been crafted by attackers to fool Entra ID into believing they were anyone, anywhere.” “The vulnerability occurred as a result of the legacy API’s inability to verify the token’s tenant source.”

 

This implied that a hacker might mimic a Global Admin in any other company’s tenancy by obtaining an Actor token from their own, non-privileged test environment. The target organization didn’t require any prior access for the attacker to gain entry.

 

In the past, Mollema also described a high-severity security vulnerability that might grant an attacker elevated access in some situations that affects on-premise versions of Exchange Server (CVE-2025-53786, CVSS score: 8.0).

 

Another study discovered that ordinary people can carry out an ESC1 attack against Active Directory setups by abusing Intune certificate misconfigurations (such as spoofable IDs).

 

The announcement follows weeks after Haakon Holm Gulbrandsrud of Binary Security revealed that cross-tenant access could be obtained by directly using the shared API Manager (APIM) instance that supports software-as-a-service (SaaS) connections from the Azure Resource Manager.

Gulbrandsrud

“Anyone can completely compromise any other connection in the world using API Connections, providing complete access to the linked backend.” “This includes any externally connected service, like Jira or Salesforce, as well as cross-tenant compromise of Azure SQL databases and Key Vaults.”

 

It also comes after several cloud-related vulnerabilities and attack techniques were found in recent weeks:

  • Even with a personal Microsoft account, an Entra ID OAuth misconfiguration allowed unauthorized access to Microsoft’s Engineering Hub Rescue, exposing 22 internal services and related data.
  • An attack that takes advantage of the Known Folder Move (KFM) capability in Microsoft OneDrive for Business, which enables a malicious actor to access the apps and files synchronized to SharePoint Online by infiltrating a Microsoft 365 user with OneDrive sync.
  • Azure AD application credentials were leaked in a publicly available Application Settings (appsettings.json) file, which may have been used to elevate privileges, exfiltrate private information, or launch malicious apps in addition to directly authenticating against Microsoft’s OAuth 2.0 endpoints.
  • In order to extract Amazon Web Services (AWS) access keys for a sandbox environment within the compromised mailbox, a phishing attack with a link to a malicious OAuth application registered in Microsoft Azure deceived a user into giving it permissions.

This allowed unknown actors to list AWS permissions and take advantage of a trust relationship between the sandbox and production environments to elevate privileges, obtain total control over the organization’s AWS infrastructure, and exfiltrate sensitive data.

  • In order to compromise cloud resources by obtaining temporary security credentials linked to the instance’s IAM role, an attack that takes advantage of Server-Side Request Forgery (SSRF) flaws in web applications to send requests to the AWS EC2 metadata service to access the Instance Metadata Service (IMDS).
  • By adjusting specific storage bucket policies, a now-patched vulnerability in AWS’s Trusted Advisor tool could be used to circumvent S3 Security Checks and make the tool mistakenly report publicly-exposed S3 buckets as secure, leaving sensitive data vulnerable to data breaches and data exfiltration.
  • AWSDoor is a code technique that sets up persistence on AWS environments by modifying IAM parameters pertaining to AWS roles and trust restrictions.

The results demonstrate that even all too frequent cloud environment configuration errors can have catastrophic outcomes for the enterprises concerned, resulting in data theft and other subsequent attacks.

Yoann Dequeker & Arnaud Petitcol, Researchers, RiskInsight, Report, Week

“Attackers can continue without installing malware or setting off alarms by using techniques like AccessKey injection, trust policy backdooring, and the usage of NotAction policies.”

 

“Aside from IAM, attackers can use AWS resources like EC2 instances and Lambda functions to maintain access. Techniques that decrease oversight and allow for long-term compromise or destruction include turning off CloudTrail, changing event selectors, implementing lifecycle policies for quiet S3 deletion, and removing accounts from AWS Organizations.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Read More:

Top Russian Hacker Groups United while Gamaredon & Turla Targeting Ukraine

About Author

daksh kataria

See author's posts

More Stories

A smartphone screen displaying a fake RTO e-challan payment alert with a “Pay Now” button, indicating an online scam involving malicious APK files.

RTO E-Challan Scam: Fraudsters Drain Bank Accounts within Moments with Fake APK Files

daksh kataria December 3, 2025 0
spyware threats leading to smartphone

Spyware Threats Leading to New Smartphone Security Guidelines Issued by CISA

daksh kataria November 29, 2025 0
Information Security Summit

Annual Information Security Summit 2025 – New Delhi Aerocity

daksh kataria November 23, 2025 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Cybersecurity-themed banner showing a person typing on a keyboard with icons of a password, lock, and shield, highlighting the five major threats that transformed web security in 2025.

5 Threats That Reshaped Web Security in 2025

daksh kataria December 5, 2025 0
265M Cyber Attacks in India Recorded by Seqrite — New Ransomware Recovery Tools Announced

265M cyber attacks in India recorded by Seqrite, reported, and new Ransomware Recovery tools

daksh kataria December 5, 2025 0
RTO E-Challan Scam: Fraudsters Drain Bank Accounts Using Fake APK Files

GPS Spoofing of Flights Reported at Important Airports like Delhi, Mumbai, Chennai: Centre tells RS

daksh kataria December 3, 2025 0
A smartphone screen displaying a fake RTO e-challan payment alert with a “Pay Now” button, indicating an online scam involving malicious APK files.

RTO E-Challan Scam: Fraudsters Drain Bank Accounts within Moments with Fake APK Files

daksh kataria December 3, 2025 0
sanchar-saathi -functions

Sanchar Saathi App: How it Functions, Key Features, Highlights, and Installation Permissions

daksh kataria December 3, 2025 0
en_USEnglish
en_USEnglish