FB pixel

Microsoft patch of widespread Entra ID authentication flaw disclosed

Potential compromise with no mitigation headed off before any in-the-wild attacks
| Chris Burt
Categories Access Control  |  Biometrics News
Microsoft patch of widespread Entra ID authentication flaw disclosed
 

An authentication vulnerability in Microsoft Entra ID has been patched prior to being publicly revealed, and before criminals could use it to carry out attacks in the wild. And good thing, because the flaw could potentially have led to the compromise of every Entra ID tenant in the world, except for one critical class.

The severity of CVE-2025-55241 has been recognized in the Common Vulnerability Scoring System with a 9.0 subsequently raised to the maximum, 10. The “Azure Entra Elevation of Privilege Vulnerability” was discovered by red-team hacker Dirk-jan Mollema of Outsider Security, who said it could have been used to gain access to every enterprise digital ID on the platform “except probably those in national cloud deployments.”

Mollema found that Microsoft uses “undocumented impersonation tokens,” or “Actor tokens” for communication between back-end services. Since the legacy Azure AD Graph API did not properly validate the originating tenant, a token requested in any given tenant could perform authentication as any user, admins included, in any tenant.

“Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access, which means there was no setting that could have mitigated this for specific hardened tenants,” Mollema explains in his post on the vulnerability.

He was unable to confirm that the vulnerability does not exist in national cloud deployments, but points out in his post that they use their own token signing keys, which should make the attack impossible to execute from a public cloud tenant.

The Azure AD Graph API was in midst of being sunset when the vulnerability was discovered. It reached the end of extended access on August 31, and has been replaced by Microsoft Graph for unified access to a broader range of services.

Microsoft enhanced the authentication policy controls for Entra earlier this year to allow administrators to mandate more frequent reauthentication.

Related Posts

Article Topics

 |   |   | 

Latest Biometrics News

 

Face biometrics use cases outnumbered only by important considerations

With face biometrics now used regularly in many different sectors and areas of life, stakeholders are asking questions about a…

 

Biometric Update Podcast explores identification at scale using browser fingerprinting

“Browser fingerprinting is this idea that modern browsers are so complex.” So says Valentin Vasilyev, Chief Technology Officer of Fingerprint,…

 

Passkeys now pervasive but passwords persist in enterprise authentication

Passkeys are here; now about those passwords. Specifically, passkeys are now prevalent in the enterprise, the FIDO Alliance says, with…

 

Pornhub returns to UK, but only for iOS users who verify age with Apple

In the UK, “wanker” is not typically a term of endearment. However, the case may be different for Pornhub, which…

 

Europol operated ‘shadow’ IT systems without data safeguards: Report

Europol has operated secret data analysis platforms containing large amounts of personal information, such as identity documents, without the security…

 

EU pushes AI Act deadlines for high-risk systems, including biometrics

The EU has reached a provisional agreement on changes to the AI Act that postpone rules on high-risk AI systems,…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Biometric Market Analysis and Buyer's Guides

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events