#actor-tokens

[ follow ]
#azure-ad-graph-api #cross-tenant-impersonation #azure-entra #entra-id #cve-2025-55241 #microsoft-entra-id
Information security
fromSecurityWeek
1 week ago

All Microsoft Entra Tenants Were Exposed to Silent Compromise via Invisible Actor Tokens: Researcher

Undocumented Microsoft Actor tokens plus an Azure AD Graph validation flaw allowed cross-tenant impersonation without logging, enabling undetectable global Entra ID compromise.
Information security
fromIT Pro
1 week ago

A terrifying Microsoft flaw could've allowed hackers to compromise 'every Entra ID tenant in the world'

A critical Entra ID vulnerability (CVE-2025-55241) could have allowed cross-tenant full administrative compromise via undocumented 'Actor' tokens and Azure AD Graph API validation flaws.
fromTechzine Global
2 weeks ago

Dutch hacker: all Microsoft Entra ID tenants at risk

Dutch security researcher Dirk-jan Mollema discovered a critical vulnerability in Microsoft Entra ID that allowed full access to every tenant in the world. Microsoft fixed the problem within days of being notified. The flaw consisted of undocumented impersonation tokens and a validation error in the old Azure AD Graph API. With this vulnerability, a successful attack would remain completely invisible. This is because there was no logging for requesting Actor tokens. Even if there had been, it would only appear in the attacker's tenant, not in the victim's.
Information security
[ Load more ]