A critical token validation vulnerability, tracked as CVE-2025-55241 with a CVSS of 10, in Microsoft Entra ID has been discovered. This flaw could have allowed attackers to impersonate any user, including global admins, across any tenant. Continue reading this Cybersecurity Threat Advisory to mitigate your risk.
What is the threat?
CVE-2025-55241 stems from a token validation failure in the legacy Azure AD Graph API, which did not verify the source tenant of service-to-service actor tokens.
Exploitation could result in:
- Privilege escalation to Global Administrator
- Undetected access to cloud resources
- Impersonation of any user within the target tenant
- Bypassing multifactor authentication and Conditional Access policies
- No trace in audit logs
Why is it noteworthy?
This vulnerability is particularly concerning due to:
- Cross-tenant impact: It could be exploited across any Microsoft Entra ID tenant.
- High-privilege impersonation: Threat actors could impersonate Global Administrators.
- Broad service exposure: It affects Azure, Office 365, and third-party apps relying on legacy APIs.
- Security bypass: Token-based impersonation bypasses MFA and Conditional Access, leaving no audit trail.
What is the exposure or risk?
Organizations using Microsoft Entra ID were exposed to potential unauthorized access, data exfiltration, privilege escalation, and service manipulation. Attackers exploiting this vulnerability could gain full control over affected tenants, access sensitive data, and disrupt business operations. The lack of audit logging further complicates incident response and forensics. Although Microsoft has patched the issue and deprecated the vulnerable API, any organization that did not apply updates promptly may still be at risk.
What are the recommendations?
Barracuda recommends the following actions to limit your risk from this severe vulnerability:
- Verify and confirm that your tenant has received the Microsoft update which resolves this vulnerability.
- Fully remove Azure AD Graph API and migrate any legacy applications to Microsoft Graph API.
- Review audit logs and access patterns for signs of suspicious activity, especially around service-to-service tokens.
- Reassess your conditional access policies and enforce them through supported APIs and services.
- Audit privilege assignments to ensure Global Administrator roles are properly allocated and actively monitored.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/09/microsoft-patches-critical-entra-id.html?m=1\
- https://www.darkreading.com/cloud-security/critical-azure-entra-id-flaw-microsoft-iam-issues
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.