Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants
Microsoft patched a critical token-validation vulnerability in Entra ID (formerly Azure Active Directory) — CVE-2025-55241 — that could have allowed attackers to impersonate any user, including Global Administrators, across virtually any tenant. The flaw, assigned a CVSS score of 10.0, was reported by researcher Dirk-jan Mollema on 14 July 2025 and addressed by Microsoft on 17 July 2025. Microsoft states there is no evidence the issue was exploited in the wild and that no customer action was required after the fix.