Entra ID actor token validation bug allowing cross-tenant global admin
Published Wed, Sep 17th, 2025
Platforms
Summary
A critical vulnerability discovered in Microsoft's Entra ID (formerly Azure AD) allowed for cross-tenant access and potential global admin privilege escalation. The flaw was found in the legacy Azure AD Graph API, which improperly validated the originating tenant for undocumented "Actor tokens." An attacker could use a token from their own tenant to authenticate as any user, including Global Admins, in any other tenant. This vulnerability bypassed security policies like Conditional Access. The issue was reported to Microsoft, who deployed a global fix within days.
Affected Services
N/A
Remediation
None required.
Tracked CVEs
CVE-2025-55241
References
Contributed by https://github.com/sapirxfed
Entry Status
Finalized
Disclosure Date
Thu, Sep 4th, 2025
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
Review AuditLogs as recommended in referenced articles.
Piercing Index Rating
-
Discovered by
Dirk-jan Mollema, Outsider Security
