Publishing views: 1

Entra Critical defam

“Microsoft has corrected a weak defect that allows the global person to imitate all over the tenants.”

The attackers could have been able to assume the identity of any user, including global officials, via any tenant due to a special code error in Microsoft Entra Id (azure active directory previously).

The maximum CVSS 10.0 to the weakness is set, which is recorded as CVE-2025-55241. Microsoft has indicated this as a loophole in Entra Azure. There is no evidence that the problem was used in the wild.

As of July 17, 2025, the Windows manufacturer has repaired; Thus, there is no necessary customer work.

Dirk Jean Molima, security researcher

The use of actors icons to service to the service (S2S) issued by the access control service (ACS) and the deadly defect in the AZURE AD LEGY (Graph.windows.net) that failed to verify the original tenant’s health.

This is important because the bad actor who gets a system programming interface can change the symbols without permission because they are subject to conditional access restrictions from Microsoft.

To exacerbate the situation, make API deficiency in the API level recording application interface to access the settings of tenants, application permissions, group and role details, device information, bitlocker keys with ENTRA, and user data stored in Entra ID without leaving any guide.

The complete settlement of tenants can result from the attacker’s impersonation from the global official and access to any service that uses the Entra ID for approval, including SharePoint Online and Exchange Online, by creating new accounts, or giving themselves additional permissions, or sensitive data.

Access via the tenant is a type of “distinctive high access” (HPA), according to Microsoft, which “occurs when the application or service gets wide access to the customer’s content, allowing it to impersonate other users without providing any evidence of the user’s context.”

It is worth noting that the technology giant advises users to switch their applications to Microsoft Graph where API Azure Ad Graph API is officially neglected and removed from August 31, 2025. 2019 witnessed the first announcement of neglect.

Microsoft

Mitiga, cloud safety company

Roy Sherman, Metiga

In the past, Mollema has also described a highly popular security vulnerability that may give an attacker high in some situations that affect the local versions of the Exchange (CVE-2025-53786, CVSS Score: 8.0).

Another study has discovered that ordinary people can carry out an ESC1 attack against Active Directory by abuse of miscarriages in the InTune certificate (such as sabotage IDS).

This advertisement follows weeks after Haakon Holm Gulbrandsrud revealed that access can be obtained via the tenant by using the API Manager joint (APIM) that supports software connections from AZURE Resources.

Gulbrandsrud

It also comes after many cloud weaknesses and attack techniques in recent weeks:

• Even with a personal Microsoft account, the formation of poor discrimination in Entra ID Oauth allowed unauthorized access to Microsoft Engineering Hub Resue, and exposed 22 internal service and relevant data.
• The attack that benefits from the ability to transfer the known folder (KFM) in Microsoft OneDrive for Business, which enables a harmful representative to access applications and files coinciding with SharePoint via the Internet by infiltrating the Microsoft 365 user with OneDrive synchronization.
• The AZURURAD application data has been leaked in the AppSetts.json app
• In order to extract the Amazon Web Services (AWS) keys for the sand box environment inside the exhibition box at risk, a hunting attack with a link with the harmful Oauth application registered in Microsoft Azure deceived the user to give him permissions.

This allowed the actors that are not known to include AWS permissions and benefit from the relationship of trust between the sand fund and production environments to raise concessions, and obtain full control of the AWS infrastructure for the institution, and the organization’s sensitive data.

• In order to prejudice cloud resources by obtaining temporary security accreditation data linked to the role of IAM for example, the attack that benefits from the forgery defects by the SSRF in web applications to send requests to the Metadata Aws EC2 service to access the IMDS data service (IMDS).
• By setting the specific storage bucket policies, a security vulnerability can be used now in the AWS reliable tool for consultants to circumvent the S3 safety checks and make the tool incorrectly reports of the S3 dungeons exposed to the public as safe, leaving sensitive data exposed to databases and data processing.
• Awsdooor is a symbol technology that places stability on AWS environments by modifying IAM parameters related to AWS roles and confidence restrictions.

The results show that even all errors of the frequent cloud environment can have catastrophic results for the institutions concerned, which leads to the theft of data and other subsequent attacks.

Yoann Dequeker & Arnaud Petitcol, researchers, Riskinsight, Report, Week

About the author

Suraj Cole He is a content specialist in technical writing about cybersecurity and information security. He wrote many amazing articles on cybersecurity concepts, with the latest trends in electronic awareness and ethical piracy. Learn more about “him”.

Read more:

The best group of Russian infiltrators, while Gamardon & Turla is targeting Ukraine

About the author