An important token verification failure in the Microsoft Entra ID (first Azure Active Directory) could allow any user to replicate any user, including global administrators.
Pulpy, tracked as Cve-2025-55241A maximum CVSS score of 10.0 is assigned. It is described by Microsoft as a privilege increase in Azure Entra. There is no indication that the issue was exploited in the wild. It has been addressed by the Windows manufacturer till July 17, 2025, which requires no customer action.
Security researcher Dirk-Jan Molema, who discovered and reported on July 14, stated that the deficiency made it possible to compromise every entra ID tenant in the world, with a possible exception to the national cloud deployment.
The problem stems from a combination of two components: Service-to-Services (S2S) actor issued by Access Control Service (ACS) The use of actor tokens and inheritance Azure Ad Graph API (Graph.Windows.net) a fatal defect in Azure Ad Graph API (Graph.windows.net) that does not sufficiently validate the original tenant, which was used for cross-concessive access.
It is noteworthy that tokens are subject to the conditional access policies of Microsoft, which enable a bad actor with access to graph API to make unauthorized amendments. To make cases worse, the lack of API level logging for graph API meant that it could be exploited to reach Entra ID, Group and Role Details, Tenant Settings, Application Permissions and Device information and user information stored in Bitaloker Keys, which has been sinking to give up the entra ID to leave any mark.
A model of a global administrator can allow an attacker to create new accounts, provide additional permissions, or exfiltrate sensitive data, resulting in a complete tenant compromise with access to any service that uses Entra ID for certification, such as Sharepoint Online and Exchange online.
“This will provide full access to any resources hosted in the azure, as these resources are controlled from the tenant level and global admins can empower themselves over the azure subscription,” Molema said.
Microsoft has depicted such examples of cross-tactant access as a “high-lingon access” (HPA) case that “occurs when an application or service achieves a comprehensive access to customer content, allowing it to apply other users without providing any evidence of user reference.”
It is worth noting that the Azure Ad Graph API has officially departed and retired by August 31, 2025, in which technical giant users urge users to migrate their app in Microsoft Graph. The initial announcement of demonstration was made in 2019.
Microsoft noted back at the end of June 2025, “Applications that were configured for access accesses, which still depend on the Azure Edi Graf API, will not continue using these APIs starting in early September 2025.”
Cloud security company Mitiga said that a successful exploitation of CVE-2025-55241 can bypass multi-factor authentication (MFA), conditional access and logging, which has no mark of incident.
“The attackers could do these crafts [actor] Tokens in the ways that used to think of entra ID that they were, anywhere, “said Shayan of Mitiga.” The vulnerability arose as the inheritance API failed to validate the tenant source of the token. ,
“This meant that an attacker could get an actor token from his own, non-conservative test environment and then use it to implement a global administrator to another company’s tenant. The attacker did not require any pre-existing access to the target organization.”
Earlier, Molema had also expanded the high-semi-seriousness safety defects affecting the on-radius versions of the Exchange Server (CVE-2025-53786, CVSS score: 8.0) that could allow an attacker to obtain high privileges under certain conditions. Another piece of research found that the intuition certificate miscarriagefigure (eg Sampufable Identifier) could be regularly misbehaved by regular users to showcase the ESC1 attack targeting the active directory atmosphere.
A few weeks after the disclosure of Binary Security Hakon Holm Gulbrandard said that the shared API Manager (APIM) example used to facilitate the Software-e-Service (mother-in-law) connector can be applied directly from the Azure Resources Manager to get a cross-tenant access.
“API connections allow anyone to fully compromise any other connections worldwide, providing complete access to the connected backnd,” said Gulbrandard. “This includes the major vaults and cross-tentant compromises of the Azure SQL database, as well as any other external service, such as cumin or salesforce.”
It also follows the discovery of many cloud -related flaws and attacks in recent weeks –
- An Entra ID Oauth Misconfiguration, which also provided unauthorized access to Microsoft’s engineering hub rescue, with an individual microsoft account, highlighting 22 internal services and related data.
- An attack that exploits the Microsoft Onedrive for Business Known Folder Move (KFM) feature, allowing a poor actor to permission, compromises the Microsoft 365 user with the ONEDRIVE sink so that they can get access to their apps and files.
- A publicly accessible application settings (appsettings.json) file can be exploited to directly certify against Microsoft’s oauth 2.0 andpoints, and to increase sensitive data, malicious apps, malicious apps, to increase or increase the specialty.
- The phishing attack with a wicked Oauth application link in Microsoft Azure made a user a user cheated a user to allow unknown actors to meet AWS permissions. Exfiltrate sensitive data.
- An attack that involves exploiting server-side requests forgery (SSRF) weaknesses, which is to compromise with cloud resources with the target of accessing Matadeta Services (IMDs) to send requests to AWS EC2 metadata service, which is compromised by assigned temporary safety credentials for example for example.
- A now an issue in the AWS’s trusted advisory tools can be exploited to sidestake S3 security checks by strengthening some storage bucket policies, making the tool a wrongly reported S3 bucket, which can be safely reported to the S3 bucket, which exposes sensitive data for data exercises and data brachs.
- A technology code AWSDOOR which modifies the IAM configuration related to the AWS role and trust policies to establish firmness on the AWS environment.
Conclusions suggest that the cloud environment can also have disastrous consequences for organizations involved in all-more general misunderstandings, leading to data theft and other follow-up attacks.
“Access injections, trust policy backdoring, and notice policies such as the use of notice policies allow the attackers to remain without deploying malware or without triggering the alarm,” Riskinets researchers Von Dekkar and Arnod Pettcol said in a report last week.
“Beyond IAM, attackers can take advantage of AWS resources-as to maintain Lambda function and EC2 instance-access. Disable cloudtry, modifying event selectors, deploying life cycle policies for silent S3 deletion, or separating all techniques from AWS organizations that are separated or reduced by AWS organizations which are allegedly compromised Enables destruction. “
