Microsoft Patches A Critical Entra ID Vulnerability Discovered by Dutch Hacker

With the evolving technology, cybercriminals are finding new ways to break into systems. In July, we covered incidents related to cyberattacks on SharePoint servers, followed by news that Microsoft busted the team behind the RaccoonO365 tool just a few days ago.

But every so often, a vulnerability appears that stands out from the rest. Unlike a typical data breach or a stolen password, this one could have opened the doors to every Microsoft Entra ID tenant worldwide. A Dutch security researcher and hacker, Dirk-jan Mollema, discovered the flaw and explained how it worked.

Well, the issue combined two dangerous flaws. First, a hidden “Actor tokens” that weren’t bound by security rules like Conditional Access. Secondly, a validation error in the old Azure AD Graph API.

When a hacker combines both, they could impersonate Global Admins across organizations. In practice, this gave them the keys to everything. It includes emails, files in SharePoint, Azure resources, and even BitLocker recovery keys.

What made this a threat was its invisible nature. The outdated API lacked proper logging, so suspicious requests wouldn’t show up in the victim’s environment. In other words, any malicious activity would look like a legitimate admin at work.

Well, the good news is that Mollema reported the issue to Microsoft immediately. The company has since patched the bug and added detection rules for security teams. The vulnerability was later tracked as CVE-2025-55241, with Microsoft noting that its telemetry showed no signs of abuse.

via: Wired | Techzine