Microsoft Entra ID flaw allowed hijacking any company's tenant

[phaZed]

Ouch. Pretty much as bad as it comes.

A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.

The fatal mix included undocumented tokens called “actor tokens” and a vulnerability in the Azure AD Graph API (CVE-2025-55241) that allowed the tokens to work with any organization’s Entra ID environment.

A threat actor exploiting the issue would have had access to a slew of highly sensitive data without leaving any trace in the logs on the targeted environment, except for their own actions.

Microsoft Entra ID flaw allowed hijacking any company's tenant

A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.

www.bleepingcomputer.com

 

[britechguy]

And if ever there were an example of where "security by obscurity" (that is, not trumpeting this vulnerability) is needed prior to a patch, this is it.

But they shouldn't be covered up after the patches are in place. These things always have, and always will, happen. Even with the best of intentions and the best security designers/coders out there, it's all become so complicated that no single individual knows or understands each and every one of the myriad working parts. And all it takes is "one or two" to create a security opening that, as my dear, departed Aunt Lila would have said, "you could drive a Mack Truck through."