Critical Flaw: Entra ID Vulnerability Allows Global Tenant Compromise

Popular：

Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Critical Flaw: Entra ID Vulnerability Allows Global Tenant Compromise

2025-09-18

A critical vulnerability in Microsoft Entra ID allows attackers to compromise virtually any tenant globally (excluding national cloud deployments). Undocumented "Actor tokens" and a flaw in the Azure AD Graph API enable full access. Attackers can brute-force or leverage B2B trusts to obtain a user's netId, impersonate administrators, and gain complete control, accessing sensitive data and modifying settings. No prerequisites are needed. Microsoft patched the vulnerability (CVE-2025-55241), highlighting inherent risks in the Actor token design.

(dirkjanm.io)

Tech

Hypervisor Internals and High-Performance Fuzzing in a Day

Anthropic Fixes Three Infrastructure Bugs Affecting Claude