Summary
A critical vulnerability discovered in Microsoft's Entra ID (formerly Azure AD) allowed for cross-tenant
access and potential global admin privilege escalation. The flaw was found in the legacy Azure AD Graph API,
which improperly validated the originating tenant for undocumented "Actor tokens." An attacker could use a
token from their own tenant to authenticate as any user, including Global Admins, in any other tenant. This
vulnerability bypassed security policies like Conditional Access. The issue was reported to Microsoft, who
deployed a global fix within days.
Affected Services
N/A
Remediation
None required.
Tracked CVEs
CVE-2025-55241
References
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241
Contributed by https://github.com/sapirxfed
Entry Status
Finalized
Disclosure Date
Thu, Sep 4th, 2025
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
Review AuditLogs as recommended in referenced articles.
Piercing Index Rating
-
Discovered by
Dirk-jan Mollema, Outsider Security
