Microsoft Entra ID - The Most Dangerous Security Vulnerability

A critical look at CVE-2025-55241

On September 18, golem.de reported a security vulnerability in Microsoft Entra ID, discovered by security researcher Dirk-Jan Mollema, who described it as “probably the most significant Entra ID security vulnerability” of his career. Registered as CVE-2025-55241 and rated as critical with a CVSS score of 9.0, the case exemplifies how vulnerable central identity and access platforms can be.

What was the issue?

At its core, the vulnerability is based on the misuse of so-called Actor-Tokens—internal tokens that Microsoft uses for service-to-service communication. Combined with a bug in the Graph API for Azure Active Directory, Mollema demonstrated that these tokens could be repurposed to gain access to foreign tenants.

Particularly critical:

• With an Actor-Token, it was possible to authenticate as any user, including administrators.
• The activities remained completely invisible—no logs in the compromised tenant, no traces in audit logs, except for direct manipulative interventions. Even then, the entries were hardly distinguishable from legitimate admin activities.

This would allow an attacker not only to take over user accounts but also to create identities, change permissions, and manipulate configurations—without the affected organization even noticing.

Why is this so dangerous?

Entra ID (formerly Azure Active Directory) is the central instance for identity and access management for many companies. It manages Single Sign-On, Multi-Factor Authentication, and is an integral part of countless cloud workloads. A vulnerability at this level means that the entire security architecture of a company can be compromised—from email access to internal systems to cloud applications.

Especially in Kubernetes environments, where Entra ID is often used for authenticating developers and service accounts, such a vulnerability could have devastating effects on the entire container infrastructure.

Additionally, according to Mollema, the required tenant ID and NetID of a user could be relatively easily obtained—via API access or brute force. This makes the theoretical exploitation of the vulnerability not only highly dangerous but also feasible.

Microsoft’s Response

Mollema reported the vulnerability on July 14, 2025. Within three days, Microsoft released an initial fix, followed by further patches on August 6. However, the vulnerability was not publicly communicated until about a month later.

The quick action in addressing the issue is commendable. Nevertheless, the incident shows that it is not just about patching individual vulnerabilities but about the fundamental question of whether such a central dependency on a single platform is sustainable.

Lessons for Companies

The case highlights two key points:

1. Central identity systems are a single point of failure. If Entra ID fails or is compromised, the entire organization comes to a halt.
2. Transparency and traceability are crucial. Invisible attacks that leave no traces in logs are a particular danger, as traditional detection mechanisms fail.

For companies, this means: Even if providers like Microsoft react quickly, their own security strategy must focus on defense-in-depth, independent control mechanisms, and potentially hybrid or sovereign alternatives.

Solutions like Authentik or Keycloak offer alternatives for self-managed identity management, while Zitadel enables modern zero-trust architectures. These can be operated in Kubernetes clusters and offer full control over identity data and authentication processes.