Microsoft patched an Azure Entra elevation of privilege flaw (CVE-2025-55241) that appeared minor and required no customer action. But security researcher Dirk-jan Mollema revealed a deeper issue: undocumented “Actor tokens” combined with an Azure AD Graph API flaw could have enabled attackers to impersonate any user, including Global Admins, across any Entra ID tenant, with no logs or traces. While Microsoft moved quickly after responsible disclosure, the episode highlights the fragility of cloud identity security, the hidden risks in undocumented systems, and the need for proactive monitoring beyond vendor assurances. Details below:
One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens: https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
Anders Askasan, Director of Product, Radiant Logic had this to say:
“This incident shows how undocumented identity features can quietly bypass Zero Trust. Actor tokens created a shadow backdoor with no policies, no logs, no visibility, undermining the very foundation of trust in the cloud. The takeaway is clear: vendor patching after the fact simply isn’t enough. To reduce systemic risk, enterprises need independent observability across their entire identity fabric, continuously correlating accounts, entitlements, and policies. Organizations need a trusted, vendor-agnostic view of their identity data and controls, so they can validate in real time and act before an adversarial incursion escalates into a breach that’s almost impossible to unwind.”
Christopher Elisan, Head of Offensive Security Research, Cobalt adds this:
“This case underscores why blind trust in vendor assurances can be dangerous. While responsible disclosure and rapid patching worked here, the sheer scale of what could have gone wrong reminds us that security isn’t static. Organizations should invest in adversarial testing to uncover blind spots before attackers do. Blind spots often live in undocumented functionalities, which can only be found by continuous, independent testing and validation. Continuous, independent validation is the only way to cut through a false sense of safety.”
This shows the importance of having a strong, diversified defence strategy which reduces your exposure to something like this. That’s on top of patching all the things ASAP.
Like this:
Like Loading...
Related
This entry was posted on September 23, 2025 at 4:30 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Azure Entra flaw could enable user impersonation
Microsoft patched an Azure Entra elevation of privilege flaw (CVE-2025-55241) that appeared minor and required no customer action. But security researcher Dirk-jan Mollema revealed a deeper issue: undocumented “Actor tokens” combined with an Azure AD Graph API flaw could have enabled attackers to impersonate any user, including Global Admins, across any Entra ID tenant, with no logs or traces. While Microsoft moved quickly after responsible disclosure, the episode highlights the fragility of cloud identity security, the hidden risks in undocumented systems, and the need for proactive monitoring beyond vendor assurances. Details below:
One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens: https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
Anders Askasan, Director of Product, Radiant Logic had this to say:
“This incident shows how undocumented identity features can quietly bypass Zero Trust. Actor tokens created a shadow backdoor with no policies, no logs, no visibility, undermining the very foundation of trust in the cloud. The takeaway is clear: vendor patching after the fact simply isn’t enough. To reduce systemic risk, enterprises need independent observability across their entire identity fabric, continuously correlating accounts, entitlements, and policies. Organizations need a trusted, vendor-agnostic view of their identity data and controls, so they can validate in real time and act before an adversarial incursion escalates into a breach that’s almost impossible to unwind.”
Christopher Elisan, Head of Offensive Security Research, Cobalt adds this:
“This case underscores why blind trust in vendor assurances can be dangerous. While responsible disclosure and rapid patching worked here, the sheer scale of what could have gone wrong reminds us that security isn’t static. Organizations should invest in adversarial testing to uncover blind spots before attackers do. Blind spots often live in undocumented functionalities, which can only be found by continuous, independent testing and validation. Continuous, independent validation is the only way to cut through a false sense of safety.”
This shows the importance of having a strong, diversified defence strategy which reduces your exposure to something like this. That’s on top of patching all the things ASAP.
Share this:
Like this:
Related
This entry was posted on September 23, 2025 at 4:30 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.