top of page

Critical Microsoft Entra ID “Actor Token” Vulnerability (CVE-2025-55241)

October 6th, 2025

Critical

Our Cyber Threat Intelligence Unit is monitoring a critical identity and access management vulnerability in Microsoft Entra ID (formerly Azure Active Directory), tracked as CVE-2025-55241. Widely known as the “actor token” vulnerability, the issue arises from Access Control Service (ACS) issued actor tokens being improperly trusted by the legacy Azure AD Graph API, which does not enforce tenant validation. This allows attackers to impersonate privileged users across tenants, sometimes gaining access equivalent to that of a Global Administrator. Microsoft has confirmed that the vulnerability was patched in the backend prior to disclosure. Despite the patch, organizations can still remain at risk from historical token misuse and misconfigured cross-tenant trust models. 

Technical Details

  • Attack Type: Cross-tenant privilege escalation via token abuse.

  • Severity: Critical (CVSS 10.0).

  • CVE ID: CVE-2025-55241.

  • Delivery Method: Abuse of ACS-issued actor/delegated tokens accepted by Azure AD Graph without proper tenant validation.

  • Technique: Attackers replay actor tokens containing privileged claims to perform administrative actions in other customer tenants, bypassing MFA, Conditional Access, and standard sign-in logging.

  • Affected Products: Microsoft Entra ID (Azure AD), Access Control Service (ACS), Azure AD Graph API.

Image by ThisisEngineering

Impact

  • Attackers could leverage misused tokens to execute administrative actions across tenant boundaries.

  • Exploitation can allow cross-tenant Global Administrator privilege, exposing customer identities, credentials, and configuration data.

  • Compromise of delegated tokens could facilitate persistent access, large-scale service interruptions, and stealthy configuration backdoors.

  • Because actor tokens bypassed MFA and Conditional Access, exploitation could evade standard detection controls.

Detection Method

Due to minimal native logging, detection requires indirect correlation:

  • Monitor for tokens with unexpected actor/delegated claims or anomalous issuers/audiences.

  • Flag cross-tenant token usage, especially in legacy API calls.

  • Alert on unusual role assignments, new service principal creation, or administrative actions by non-interactive principals.

  • Correlate token issuance with sudden spikes in privileged operations.

  • Review enterprise apps and service principals with excessive delegated scopes or recent high-privilege consents.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Apply Microsoft guidance immediately and confirm if tenant-specific advisories were issued.

  • Investigate for prior signs of exploitation: review token usage, app permissions, and historical audit logs for suspicious cross-tenant activity.

  • Retire Azure AD Graph API dependencies; migrate to Microsoft Graph.

  • Revoke suspicious access/refresh tokens; rotate service principal secrets for high-privilege apps.

  • Restrict app consent policies; require admin approval for high-privilege scopes.

  • Enforce MFA and Just-In-Time (JIT) elevation for all privileged accounts.

  • Centralize Entra ID logs into a SIEM and create detections for actor token artifacts and cross-tenant privileged actions.

  • Revisit cross-tenant integrations and ensure all external token trust is explicit, federated, and validated.

Conclusion

The Entra ID actor token vulnerability (CVE-2025-55241) highlights the systemic risks associated with misapplied trust in cloud identity tokens. While Microsoft has remediated the issue in its backend services, customers must assume exploitation leaves limited audit evidence. We urge organizations to prioritize forensic review, credential rotation, and hardening of cross-tenant access to reduce residual exposure.

bottom of page