Patching is done, yet the risk lingers: While CVE-2025-55241 initially carried a maximum base severity score of 10.0 out of 10, Microsoft later revised its advisory on September 4 to rate the flaw at 8.7, reflecting its own exploitability assessment.Microsoft rolled out a fix globally within days of the initial report, adding that its internal telemetry did not reveal any evidence of exploitation until that time. The patch blocked Actor tokens from being requested for Azure AD Graph API calls and introduced further mitigations to close off the impersonation vector.Additionally, the technology giant published a blog about removing insecure legacy practices from their environment, though Mollema complained that there weren’t any details on how many services still use these tokens. “This vulnerability has already been fully mitigated by Microsoft,” Microsoft said in the advisory. “There is no action for users of this service to take.”Mitiga team stresses that the problem highlights a broader category of riskshidden trust deep in cloud identity systems. “Microsoft has patched it, but the lack of historical visibility means defenders still can’t be sure whether it was used in the past,” the team added. “That uncertainty is the point: attackers keep looking for invisible pathways. Defenders need visibility everywhere before, during, and after exploitation.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4060101/entra-id-vulnerability-exposes-gaps-in-cloud-identity-trust-models-experts-warn.html
