September 22, 2025 By Sofia Elizabella Wyciślik-Wilson
Details have emerged about a now-patched flaw in Microsoft Entra ID which could have been exploited to gain access to any tenant of any company in the world.
Tracked as CVE-2025-55241, the Azure Entra Elevation of Privilege Vulnerability has a CVSS 3.1 severity rating of 10.0. The security researcher who discovered the flaw said that he had “found the most impactful Entra ID vulnerability that I will probably ever find. This vulnerability could have allowed me to compromise every Entra ID tenant in the world”.
The vulnerability was made back in July by Dirk-jan Mollema while preparing for Black Hat and DEF CON talks. Having reported the vulnerability to the Microsoft Security Response Center (MSRC) the same day, Mollema and Outsider Security’s findings helped Microsoft to address the flaw as well as to roll out “further mitigations that block applications from requesting these Actor tokens for the Azure AD Graph API”.
Writing about his findings, Mollema says:
