- The actor tokens authorized an identity theft between the tenants without journalization or security checks
- CVE-2025-55241 Activates the overall access administration via API Azure AD GRAP
- Microsoft corrected the flaw in September 2025; Actor tokens and graphic APIs are in progress
Security researchers have found a critical vulnerability in Microsoft END’s ID which could have allowed threat actors to obtain access to the global administrator to practically the tenant of anyone – without being detected in any way.
Vulnerability consists of two things-an inherited service called “actor tokens”, and a critical elevation of the privilege bug followed as CVE-2025-55241.
Actors’ tokens are undisputed and unconted authentication tokens used in Microsoft services to usurp the users of tenants. They are published by an inherited system called Access Control Service (ACS) and were initially designed for service authentication (S2S).
Depreciation and delete
According to the security researcher Dirk-Jan Mollema who discovered the fault, these tokens bypass the standard security checks, lacks journalization and remain valid for 24 hours, which makes them usable for unauthorized access without detection.
Mollema has shown that by creating identity tokens using public identifiers and user identifiers, it could access sensitive data and carry out administrative actions in the environments of other organizations.
These actions included the creation of users, the reset of passwords and the modification of configurations – all without generating newspapers in the victim tenant.
“I tested this with some additional test tenants I had access to which I was not crazy, but I could indeed access data at other tenants, as long as I knew their tenant identifier (which is public information) and the netid of a user in this tenant,” said Mollema.
It turns out that the Azure Ad Graph API, a depreciated system which is slowly deleted, accepted the tokens of a tenant and applied them to another, bypassing conditional access policies and standard authentication checks.
Mollema reported the problem on Microsoft, which recognized it in mid-July 2025, and corrected within two weeks. The CVE-2025-55241 received a gravity score of 10/10 (criticism) and was officially discussed on September 4.
The Azure AD Graph API is being depreciation, while the tokens, which Microsoft calls the “very private access” mechanisms used internally, are being removed.
Via Bleeping Compompute
