- Actress tokener allowed cross-bearing-launching without logging or security check
- CVE-2025-55241 Enabled Global Admin access via outdated Azure AD Graph API
- Microsoft patched the error in September 2025; Actors and graph API is phased out
Security researchers have found a critical vulnerability in Microsoft Entra ID, which could have enabled threat players to get global administrator access to practically others’ tenant – without being discovered in any way.
The vulnerability consists of two things-one older service called “actor tokens” and a critical increase in privilege errors traced as CVE-2025-55241.
Actors are undocumented, unsigned approval tokens used in Microsoft services to emulate users across tenants. They are issued by an older system called Access Control Service (ACS) and were originally designed for service-to-service (S2S) approval.
Printing and phasing out
According to security researcher Dirk-Jan Mollema, who discovered the error, at these token’s standard security checks, lacking logging and remains valid for 24 hours, making them utilize for unauthorized access without detection.
Mollema demonstrated that by making imitation of tokens using public tenant IDs and user identifiers he could access sensitive data and perform administrative actions in other organizations’ environments.
These actions included creation of users, resetting passwords and changing configurations – all without generating logs at the victim rents.
“I tested this at a few more test tenants I had access to to make sure I wasn’t crazy, but I could actually access data from other tenants as long as I knew their tenant (who is public information) and the web for a user in this tenant,” Mollema explained.
It turns out that Azure ad Graph API, a printed system slowly phased out, accepted tokens from one tenant and used them to another, bypassing conditional access policies and standard approval control.
Mollema reported the issue of Microsoft, who recognized it in mid -July 2025 and patched within two weeks. CVE-2025-55241 got a severity of 10/10 (critical) and was officially addressed on September 4th.
Azure ad graph API is printed while Tokens, which Microsoft refers to as “high privileged access” mechanisms used internally, is phased out.
Via Bleeping computer
