Tenants worldwide were put at risk due to a significant lack of proper identification at key entry points.
In a significant development, a critical vulnerability has been discovered in Microsoft's Identity and Access Management service, Entra ID. The security researcher Dirk-Jan Mollema, from Outsidersecurity, reported the flaw to Microsoft, which has a CVSS Score of 10 out of 10, indicating a high severity.
The vulnerability, designated as CVE-2025-55241, allows an attacker to gain full access to Entra ID tenants worldwide. This access could potentially allow viewing of personal information, BitLocker keys, and control over services like SharePoint Online.
The attack on Entra ID comprises two components. The first is an undocumented identity verification token called "Actor Token," used by Microsoft for service-to-service communication. The second component is a vulnerability in the Azure AD Graph API (Legacy) that does not adequately verify these tokens, enabling attackers to impersonate admins for any tenant.
To exploit the vulnerability, attackers needed to know the tenant ID and the NetID of a user. Both pieces of information can be obtained with relatively little effort. However, it's important to note that an attack using an Actor Token would not leave any traces in logs.
Fortunately, Microsoft has already addressed the issue. They patched the vulnerability in July of this year, following the report by Dirk-Jan Mollema. Entra ID tenants did not need to take any action as the issue was resolved on the server side by Microsoft.
Microsoft has issued an alert with further details about the attack. For those interested in the technical aspects, the security researcher provides a comprehensive report with additional information.
As of now, Microsoft is not aware of any such attacks on Entra ID. Given the widespread use of Entra ID by large companies worldwide, the vulnerability had far-reaching consequences. It underscores the importance of regular security audits and the prompt reporting of any discovered vulnerabilities.
Read also:
- Unidentified cybercriminals suspected in mobile banking fraud in Kenya, as insiders potentially implicated in the scheme
- Exploring the Architecture and Skills of Qualys' Agentic AI: A Deep Dive into Its Technological Framework and Abilities
- Auto Industry Update: Geotab, C2A, Deloitte, NOVOSENSE, Soracom, and Panasonic in Focus
- Preparations Underway for the 2022 FIFA World Cup: Impact on Sports Betting Industry
