A catastrophic vulnerability in Microsoft's Entra ID identity platform could have allowed attackers to gain "god mode" access to virtually every Azure customer account worldwide, a security researcher has revealed.
Security researcher Dirk-Jan Mollema discovered the critical flaw while preparing for his Black Hat presentation in July. The vulnerability exploited legacy authentication tokens called "Actor Tokens" combined with a validation failure in Microsoft's older Azure Active Directory Graph API.
"I was just staring at my screen. I was like, 'No, this shouldn't really happen,'" Mollema told reporters. "From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else's tenant."
The attack would have been devastating in scope. Using a single token from an attacker-controlled tenant, hackers could have impersonated Global Administrators across any Entra ID environment, accessing Microsoft 365, SharePoint, Exchange, and Azure resources without triggering security alerts or conditional access policies.
What made this vulnerability particularly dangerous was its stealth capability. The legacy Actor Tokens bypass Microsoft's modern security controls and generate no audit logs when used, making detection nearly impossible. Attackers could have silently accessed sensitive corporate data, created backdoor accounts, or granted themselves permanent administrative privileges.
Microsoft responded swiftly after Mollema's responsible disclosure on July 14. The company deployed global fixes by July 17 and implemented additional protections in August. Microsoft confirmed no evidence of exploitation was found during their investigation.
"We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage," said Tom Gallagher, Microsoft's Security Response Center vice president.
The incident mirrors the 2023 Storm-0558 attack, where Chinese hackers stole cryptographic keys to access government email systems. However, experts note this new vulnerability could have enabled even broader access across Microsoft's cloud ecosystem.
Microsoft has assigned CVE-2025-55241 to track this vulnerability, rating it as critical with a maximum CVSS score of 10.0. The fix required no customer action, as Microsoft resolved the issue entirely on its backend infrastructure.