cbcvebase.
CVE-2025-55241
published 2025-09-04

CVE-2025-55241: Azure Entra ID Elevation of Privilege Vulnerability

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.55%
72.0th percentile
Azure Entra ID Elevation of Privilege Vulnerability

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_entra
msrcmicrosoft_entra_id

Detection & IOCsextracted from sources · hover to see the quote

sigma
from logs-azure.auditlogs-* metadata _id, _version, _index
| where azure.auditlogs.properties.initiated_by.user.displayName in (
"Office 365 Exchange Online",
"Skype for Business Online",
"Dataverse",
"Office 365 SharePoint Online",
"Microsoft Dynamics ERP"
) and
not azure.auditlogs.operation_name like "*group*" and
azure.auditlogs.operation_name != "Set directory feature on tenant"
and azure.auditlogs.properties.initiated_by.user.userPrincipalName rlike ".+@[A-Za-z0-9.]+\\.[A-Za-z]{2,}"
| keep
@timestamp,
azure.*,
client.*,
event.*,
source.*,
_id,
_version,
_index
  • Hunt for Entra ID audit log entries where the initiating user displayName is one of the known Microsoft S2S service names ('Office 365 Exchange Online', 'Skype for Business Online', 'Dataverse', 'Office 365 SharePoint Online', 'Microsoft Dynamics ERP') but the userPrincipalName resolves to a real user UPN — this pattern indicates actor token impersonation abuse.
  • Actor tokens have a 24-hour validity and cannot be revoked; they bypass Conditional Access entirely and generate NO logs in the victim tenant at token issuance or creation — only actions performed via the Azure AD Graph API (graph.windows.net) in the last exploitation step will appear in victim tenant logs.
  • Monitor Azure AD Graph API (graph.windows.net) audit logs for read/write operations initiated by service principals that also carry a user UPN in the initiatedBy field, especially operations such as user creation, password reset, or admin role assignment originating from an unexpected tenant context.
  • Exclude audit log entries for operation names matching '*group*' or exactly 'Set directory feature on tenant' to reduce false positives from legitimate Microsoft S2S actor token usage when building detections.
  • Attacker exploitation requires only publicly available information (tenant ID derivable from domain name via public APIs) plus a valid netId of any regular user in the target tenant — alert on unexpected enumeration of tenant IDs or user netIds via public Microsoft APIs.
  • ·Actor tokens are unsigned and carry no proof of user context; they are issued by the legacy Access Control Service (ACS) used for SharePoint and internal Microsoft S2S communication — this design means issuance and creation generate zero logs in Entra ID, making purely log-based detection incomplete.
  • ·Microsoft has fully mitigated CVE-2025-55241 server-side; no customer action is required. Detection rules targeting this CVE are relevant for historical forensic investigation and for detecting any residual or novel actor token abuse patterns.
  • ·The Azure AD Graph API (graph.windows.net) is deprecated and Microsoft is removing extended access in early September 2025; detections targeting this API endpoint may have a limited operational window and should be updated as the API is retired.
  • ·Legitimate Microsoft internal services (Exchange Online, SharePoint Online, Skype for Business, Dataverse, Dynamics ERP) do use actor tokens for valid S2S operations — detection rules must carefully scope on anomalous operation types and unexpected user UPNs to avoid high false-positive rates.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.