A crucial Microsoft authentication vulnerability may have allowed a menace actor to compromise just about each Entra ID tenant on the earth.
The elevation of privilege (EoP) vulnerability, tracked as CVE-2025-55241, was addressed over the summer time and disclosed earlier this month; however there is no indication the flaw — which initially obtained a CVSS rating of 9.0 however was raised to a most 10.0 this week — was exploited within the wild. That mentioned, in line with the researcher who found the flaw, the vulnerability may have been used for devastating assaults and importantly highlights an absence of safety round key parts of Azure’s authentication stack.
In line with Dirk-jan Mollema, safety researcher and founding father of Dutch infosec consultancy Outsider Safety, the vulnerability stems from an authentication failure within the Azure AD Graph API. The service, which is scheduled for deprecation this 12 months, is a REST API that permits customers to entry Azure cloud assets, together with Entra ID (previously generally known as Azure Energetic Listing or Azure AD).
Keep reading this article in Dark Reading, a DCN partner site
