CVE-2025-55241
published 2025-09-04CVE-2025-55241: Azure Entra ID Elevation of Privilege Vulnerability
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.55%
72.0th percentile
Azure Entra ID Elevation of Privilege Vulnerability
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_entra | — | — |
| msrc | microsoft_entra_id | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
from logs-azure.auditlogs-* metadata _id, _version, _index
| where azure.auditlogs.properties.initiated_by.user.displayName in (
"Office 365 Exchange Online",
"Skype for Business Online",
"Dataverse",
"Office 365 SharePoint Online",
"Microsoft Dynamics ERP"
) and
not azure.auditlogs.operation_name like "*group*" and
azure.auditlogs.operation_name != "Set directory feature on tenant"
and azure.auditlogs.properties.initiated_by.user.userPrincipalName rlike ".+@[A-Za-z0-9.]+\\.[A-Za-z]{2,}"
| keep
@timestamp,
azure.*,
client.*,
event.*,
source.*,
_id,
_version,
_index- →Hunt for Entra ID audit log entries where the initiating user displayName is one of the known Microsoft S2S service names ('Office 365 Exchange Online', 'Skype for Business Online', 'Dataverse', 'Office 365 SharePoint Online', 'Microsoft Dynamics ERP') but the userPrincipalName resolves to a real user UPN — this pattern indicates actor token impersonation abuse. ↗
- →Actor tokens have a 24-hour validity and cannot be revoked; they bypass Conditional Access entirely and generate NO logs in the victim tenant at token issuance or creation — only actions performed via the Azure AD Graph API (graph.windows.net) in the last exploitation step will appear in victim tenant logs. ↗
- →Monitor Azure AD Graph API (graph.windows.net) audit logs for read/write operations initiated by service principals that also carry a user UPN in the initiatedBy field, especially operations such as user creation, password reset, or admin role assignment originating from an unexpected tenant context. ↗
- →Exclude audit log entries for operation names matching '*group*' or exactly 'Set directory feature on tenant' to reduce false positives from legitimate Microsoft S2S actor token usage when building detections. ↗
- →Attacker exploitation requires only publicly available information (tenant ID derivable from domain name via public APIs) plus a valid netId of any regular user in the target tenant — alert on unexpected enumeration of tenant IDs or user netIds via public Microsoft APIs. ↗
- ·Actor tokens are unsigned and carry no proof of user context; they are issued by the legacy Access Control Service (ACS) used for SharePoint and internal Microsoft S2S communication — this design means issuance and creation generate zero logs in Entra ID, making purely log-based detection incomplete. ↗
- ·Microsoft has fully mitigated CVE-2025-55241 server-side; no customer action is required. Detection rules targeting this CVE are relevant for historical forensic investigation and for detecting any residual or novel actor token abuse patterns. ↗
- ·The Azure AD Graph API (graph.windows.net) is deprecated and Microsoft is removing extended access in early September 2025; detections targeting this API endpoint may have a limited operational window and should be updated as the API is retired. ↗
- ·Legitimate Microsoft internal services (Exchange Online, SharePoint Online, Skype for Business, Dataverse, Dynamics ERP) do use actor tokens for valid S2S operations — detection rules must carefully scope on anomalous operation types and unexpected user UPNs to avoid high false-positive rates. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No public exploits indexed.
Bleepingcomputer
Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation
blogs_bleepingcomputer·2026-05-19
CVE-2025-55241 Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation
## Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation
## BeyondTrust
Authored by: Morey J. Haber, Chief Security Advisor, BeyondTrust, and James Maude, Field Chief Technology Officer, BeyondTrust
As analyzed in the 2026 Microsoft Vulnerabilities Report , Microsoft disclosed 1,273 vulnerabilities in 2025, which represents a dip from 1,360 the prior year. The good news seems to be that total Microsoft vulnerabilities have remained in a stable range from 2020 – 2026.
But those numbers are the wrong ones to watch. Critical vulnerabilities doubled year-over-year, surging from 78 to 157, reversing a multi-year downward trend.
Stability in total vulnerability volume conceals instability in impact, and that is where organizations should focus their attention.
The most im
Wiz
Crying Out Cloud Newsletter - October 2025 | Wiz
blogs_wiz·2025-10-12·CVSS 9.9
[CRITICAL] Crying Out Cloud Newsletter - October 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
## 🔍 Highlights
## Shai-Hulud: Package Supply Chain Compromise Delivering Data-Stealing Malware
On September 15, 2025, malicious versions of multiple popular packages were published to npm. They contained a post-install script that harvested sensitive data and exfiltrated it to attacker-created public GitHub repos named Shai-Hulud . Beyond data theft, the malware exhibits worm-like behaviour: when a compromised package encounters additional npm tokens in its environment, it will automatically publish malicious versions of any packages it can access - spreading acr
Bleepingcomputer
Microsoft Entra ID flaw allowed hijacking any company's tenant
blogs_bleepingcomputer·2025-09-21·CVSS 10.0
CVE-2025-55241 [CRITICAL] Microsoft Entra ID flaw allowed hijacking any company's tenant
## Microsoft Entra ID flaw allowed hijacking any company's tenant
## Ionut Ilascu
A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.
The fatal mix included undocumented tokens called “actor tokens” and a vulnerability in the Azure AD Graph API (CVE-2025-55241) that allowed the tokens to work with any organization’s Entra ID environment.
A threat actor exploiting the issue would have had access to a slew of highly sensitive data without leaving any trace in the logs on the targeted environment, except for their own actions.
Entra ID is Microsoft’s cloud-based identity and access management (IAM) service, formerly known as Azure Active Directory (Azure AD), which provides organizations with singl
Bleepingcomputer
Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
blogs_bleepingcomputer·2025-09-09·CVSS 8.8
[HIGH] Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
## Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
## Lawrence Abrams
41 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
22 Remote Code Execution Vulnerabilities
16 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
1 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released on Patch Tuesday.
Therefore, the number of flaws does not include three Azure, one Dynamics 365 FastTrack Implementation Assets, two Mariner, five Microsoft Edge, and 1 Xbox vulnerabilities fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5065426 & KB5065431 cumulative updat
2025-09-04
Published