Microsoft Fixes Entra ID Flaw Allowing Admin Hijack

Microsoft has addressed a critical security flaw in Entra ID that could have allowed attackers to impersonate users across any tenant, including those with Global Administrator privileges. The vulnerability, tracked as CVE-2025-55241, received a maximum CVSS severity score of 10.0. Microsoft fixes Entra ID to prevent abuse of this token validation failure, which posed a serious risk of privilege escalation within Azure Entra environments.

The issue stemmed from a flaw in how tokens were validated, enabling unauthorized access across organizational boundaries. Microsoft categorized the bug as a privilege escalation vulnerability, making it particularly dangerous for enterprises relying on Entra ID for identity management. The vulnerability did not require user interaction, increasing the potential for exploitation. Microsoft fixes Entra ID to ensure tenant isolation and security for all administrative accounts.

Security professionals and IT teams are encouraged to review the full advisory for technical details and patch deployment guidance at
https://thehackernews.com/2025/09/microsoft-patches-critical-entra-id.html