Researchers found a potent combination of critical flaws and legacy services
Actor tokens allowed cross-tenant impersonation without logging or security checks
CVE-2025-55241 enabled Global Admin access via deprecated Azure AD Graph API
Microsoft patched the flaw in September 2025; actor tokens and Graph API are being phased out
Security researchers have found a critical vulnerability in Microsoft Entra ID which could have allowed threat actors to gain Global Administrator access to virtually anyone’s tenant – without being detected in any way.
The vulnerability consists of two things – a legacy service called “actor tokens”, and a critical Elevation of Privilege bug tracked as CVE-2025-55241.
Actor tokens are undocumented, unsigned authentication tokens used in Microsoft services to impersonate users across tenants.
