This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now

Actor tokens allowed cross-tenant impersonation without logging or security checks
CVE-2025-55241 enabled Global Admin access via deprecated Azure AD Graph API
Microsoft patched the flaw in September 2025; actor tokens and Graph API are being phased out

Security researchers have found a critical vulnerability in Microsoft Entra ID which could have allowed threat actors to gain Global Administrator access to virtually anyone’s tenant – without being detected in any way.

The vulnerability consists of two things – a legacy service called “actor tokens”, and a critical Elevation of Privilege bug tracked as CVE-2025-55241.

Actor tokens are undocumented, unsigned authentication tokens used in Microsoft services to impersonate users across tenants. They are issued by a legacy system called Access Control Service (ACS) and were originally designed for service-to-service (S2S) authentication.

Deprecating and phasing out

According to security researcher Dirk-jan Mollema who discovered the flaw, these tokens bypass standard security controls, lack logging, and remain valid for 24 hours, which makes them exploitable for unauthorized access without detection.

Mollema demonstrated that by crafting impersonation tokens using public tenant IDs and user identifiers, he could access sensitive data and perform administrative actions in other organizations’ environments.

These actions included creating users, resetting passwords, and modifying configurations – all without generating logs in the victim tenant.

“I tested this in a few more test tenants I had access to, to make sure I was not crazy, but I could indeed access data in other tenants, as long as I knew their tenant ID (which is public information) and the netId of a user in that tenant,” Mollema explained.

As it turns out, Azure AD Graph API, a deprecated system that’s slowly being phased out, was accepting the tokens from one tenant and applying them to another, bypassing conditional access policies and standard authentication checks.

Mollema reported the issue on Microsoft, which acknowledged it in mid-July 2025, and patched within two weeks. CVE-2025-55241 was given a severity score of 10/10 (critical), and was officially addressed on September 4.

Azure AD Graph API is being deprecated, while the tokens, which Microsoft refers to as “high-privileged access” mechanisms used internally, are being phased out.