- The actors tokens allowed the supplant of a cross tenant without registration or security checks
- CVE-2025-55241 Access to Global Administrator enabled through the deactivated Azure Ad Graph Api
- Microsoft patched the defect in September 2025; The actors tokens and the GRAPh API are being eliminated.
Security researchers have found a critical vulnerability in Microsoft, ID enters that it could have allowed threat actors to obtain access to global administrator to the tenant practically from any person, without being detected in any way.
Vulnerability consists of two things: an inherited service called “actor tokens”, and a critical elevation of traced privileges errors such as CVE-2025-55241.
The actors tokens are undocumented and unpleasant authentication tokens used in Microsoft services to impersonate users among tenants. They are issued by an inherited system called Access Control Service (ACS) and were originally designed for service authentication (S2S).
Disapproving and eliminating
According to security researcher Dirk-Jan Mollema who discovered the fault, these tokens avoid standard security controls, lack registration and remain valid for 24 hours, which makes them exploitable for unauthorized access without detection.
Mollema showed that when creating impersonation tokens using public user identifications and user identifiers, you could access confidential data and carry out administrative actions in the environments of other organizations.
These actions included creating users, restoring passwords and modifying configurations, all without generating records in the victim’s tenant.
“I tried this in some more proof tenants to those who had access, to make sure I was not crazy, but in fact I could access the data in other tenants, as long as I knew its identification of the tenant (which is public information) and the denial of a user in that tenant,” Mollema explained.
As a result, Azure Ad Graph Api, a unnoticed system that is slowly eliminating, was accepting the tokens of a tenant and applying them to another, avoiding conditional access policies and standard authentication verifications.
Mollema reported the problem in Microsoft, who recognized him in mid -July 2025, and patched in two weeks. CVE-2025-55241 received a gravity score of 10/10 (critic), and officially addressed on September 4.
Azure Ad Graph Api is being deactivated, while tokens, to which Microsoft refers as mechanisms of “access of high privileged” used internally, are being eliminated.
Through Bleepingcomputer
