CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Azure Entra ID Vulnerability Exposes Cross-Tenant Access Risks

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A critical elevation of privilege (EoP) vulnerability in Azure Entra ID (formerly Azure Active Directory) could have allowed unauthorized access to virtually any Entra ID tenant. The flaw, tracked as CVE-2025-55241, stems from an authentication failure in the Azure AD Graph API, enabling the creation of impersonation tokens for cross-tenant access. The vulnerability was discovered in July 2025 and addressed over the summer, with no evidence of exploitation in the wild. The flaw highlights significant security gaps in Azure's authentication stack, particularly around undocumented 'Actor' tokens used for backend service-to-service communications. These tokens lack essential security controls, such as revocation capabilities, conditional access policies, and visibility, making them highly dangerous. The Azure AD Graph API, despite being scheduled for deprecation, is still used by many Microsoft applications, underscoring the broader implications of this vulnerability. The flaw was reported to Microsoft on July 14, 2025, and the company confirmed that the problem was resolved nine days later. The vulnerability has been assigned the maximum CVSS score of 10.0. It allowed impersonation of any user, including Global Administrators, across any tenant. The flaw could bypass multi-factor authentication (MFA), Conditional Access, and logging, leaving no trace. The flaw was addressed by Microsoft as of July 17, 2025, requiring no customer action. The Azure AD Graph API has been officially deprecated and retired as of August 31, 2025.

Timeline

  1. 19.09.2025 16:47 3 articles · 13d ago

    Critical Azure Entra ID Vulnerability Disclosed

    The flaw allowed complete access to the Microsoft Entra ID tenant of every company in the world. The flaw was discovered by Dirk-jan Mollema, founder of Outsider Security, who found that actor tokens are not signed and can be used to impersonate any user in the tenant. The flaw was reported to Microsoft on July 14, 2025, and the company confirmed that the problem was resolved nine days later. The vulnerability has been assigned the maximum CVSS score of 10.0. It allowed impersonation of any user, including Global Administrators, across any tenant. The flaw could bypass multi-factor authentication (MFA), Conditional Access, and logging, leaving no trace. The flaw was addressed by Microsoft as of July 17, 2025, requiring no customer action. The Azure AD Graph API has been officially deprecated and retired as of August 31, 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Senator Wyden calls for FTC probe into Microsoft's alleged ransomware-related cybersecurity negligence

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's alleged cybersecurity negligence, which he claims enabled ransomware attacks on U.S. critical infrastructure, including healthcare networks. The call follows a ransomware attack on Ascension, a healthcare system, which resulted in the theft of personal and medical information of nearly 5.6 million individuals. The attack was attributed to the Black Basta ransomware group and exploited insecure default settings in Microsoft software. The breach occurred in May 2024 when a contractor clicked on a malicious Bing Search result in Microsoft Edge, leading to a Kerberoasting attack. Attackers used Kerberoasting to extract encrypted service account credentials from Active Directory, leveraging the vulnerabilities in RC4. Wyden's letter to the FTC highlights Microsoft's continued support for RC4, an outdated encryption standard, and its failure to enforce secure password policies for privileged accounts. Microsoft has acknowledged the issues and plans to deprecate RC4 in future updates, but Wyden argues that these measures are insufficient to protect against ongoing threats.

Open in new tab

Critical SessionReaper flaw in Adobe Commerce and Magento Open Source patched

Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. The flaw, with a CVSS score of 9.1, allows unauthenticated attackers to take control of customer accounts through the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. No exploitation in the wild has been reported, but a hotfix leak may have provided threat actors with an advantage. Adobe Commerce on Cloud customers are already protected by a WAF rule. The patch disables certain internal Magento functionalities, potentially affecting custom or external code. The vulnerability impacts multiple versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source, as well as the Custom Attributes Serializable module.

Open in new tab

Microsoft Anti-Spam Service Misidentifies Safe URLs in Exchange Online and Teams

Microsoft is addressing a bug in its anti-spam service that incorrectly blocks URLs in Exchange Online and Microsoft Teams, causing some emails to be quarantined. The issue began on September 5, 2025, affecting users who received false alerts about malicious URLs. Over 6,000 URLs have been identified as affected, and Microsoft is working to unblock them and recover any incorrectly flagged messages. The bug is due to the anti-spam engine mistakenly tagging URLs within other URLs as potentially malicious. Microsoft has deployed a partial fix and is continuing to address the impact. The incident has been classified as an event with noticeable user impact, although the exact number of affected customers and regions remains undisclosed. Similar issues have occurred throughout the year, including a May 2025 incident where a machine learning model incorrectly flagged Gmail emails as spam in Exchange Online.

Open in new tab

Microsoft Enforces MFA on Azure Portal Sign-ins for All Tenants

Microsoft has enforced multifactor authentication (MFA) for Azure Portal sign-ins for all tenants since March 2025. This move follows a series of announcements and warnings aimed at enhancing security across Azure services. The enforcement is part of Microsoft's broader strategy to protect user accounts against cyber threats. The enforcement began with Azure Portal sign-ins and will extend to Azure CLI, PowerShell, SDKs, and APIs in October 2025. Microsoft's data shows that MFA significantly reduces the likelihood of account compromise and hacking attempts.

Open in new tab

SAP S/4HANA Command Injection Vulnerability CVE-2025-42957 Exploited in the Wild

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA. The flaw was patched in SAP's August 2025 updates, but exploitation has been observed. SecurityBridge Threat Research Labs, BleepingComputer, and Pathlock have reported active exploitation. Organizations are advised to apply patches, monitor logs for suspicious RFC calls or new admin users, implement SAP's Unified Connectivity framework (UCON) to restrict RFC usage, and take additional security measures to mitigate the risk.

Open in new tab