Microsoft has upgraded a critical cross-tenant elevation of privileges (EOP) bug in Azure to CVSS 10 - the highest vulnerability rating possible.

As reported by The Stack, CVE-2025-55241 let an attacker elevate basic privileges from their own machine to take over any Entra ID tenant.

Microsoft fixed the vulnerability on July 17. It made further mitigations on August 6. After disclosing it on September 4, Redmond late last week upgraded it from CVSS 9 to 10 and dropped its exploitability to “low’. 

The vulnerability was due to Microsoft’s use of undocumented and unsigned “Actor” JSON web tokens, which let a service communicate with other services on behalf of a user; and a token validation failure in the Azure AD Graph API that enabled the wider exploitation of these tokens.

Join peers following The Stack on LinkedIn

The vulnerability was identified by Dutch security researcher Dirk-jan Mollema, who told The Stack that “I had to do a few double takes and retest the whole flow to make sure I wasn’t imagining things” when working out how extensively he could hack other environments. 

(He disclosed it under Microsoft’s identity bounty program” he added.)

CVE-2025-55241 sent waves across the global cybersecurity community.

It followed earlier research on Azure’s security that also raised concerns about the ability of hackers to move from one cloud tenant to another. 

In 2022, for example, Orca Security found that exploiting a blog in an ETL tool exposed “a huge amount of Microsoft and 3rd party code, [which] runs with SYSTEM permissions.. on shared machines with access to Azure service keys and sensitive data of other customers. These areas of the service only have application-level separation and lack sandbox or hypervisor-level isolation. This is a major attack surface," the security firm warned.

A year earlier, researchers at Wiz had reported ChaosDB; a cross-tenant vulnerability in Azure Cosmos DB; by exploiting a local privilege escalation vulnerability, modifying firewall rules to gain unrestricted network access, authenticating to the CosmosDB backend, an attacker of that bug could abuse their access to retrieve and decrypt other tenants’ credentials. 

Microsoft told The Stack it had “accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative” and it is “strengthening our identity standards, driving adoption through the usage of standard SDKs across 100% of applications..."

One Microsoft deputy CISO said his team was working hard to strip out this kind of “service-to-service” (S2S) architectural issue.

D-CISO for Experiences and Devices, Naresh Kannan wrote in July 2025 “we have successfully mitigated more than 1,000 high-privilege application scenarios thus far” in a “monumental cross-functional effort at Microsoft, engaging more than 200 engineers across the company.”

“First,” he wrote, “we reviewed all existing Microsoft 365 applications and their S2S interactions with all resource providers across the stack. 

“Second, we deprecated legacy authentication protocols that supported HPA [high-privileged access] patterns. Third, we accelerated the enforcement of new secure authentication protocols to ensure that all S2S interactions operate within the least-privileged scope… In many cases, this also required re-engineering the existing architecture and platform to ensure that customer scenarios are accommodated with secure, least privilege access.

Kannan added: "We ensured that Microsoft 365 first-party applications are interacting with customer content only with the least privilege access. For instance, if Application C has a requirement to read data from specific SharePoint sites, it is granted granular ‘Sites.Selected’ permission rather than ‘Sites.Read.All’ permission. Finally, we have also implemented standardized monitoring systems to identify and report any high-privilege access within Microsoft 365 applications.”

It was not immediately clear how many other Microsoft applications still rely on this kind of elevated “S2S” interaction via access tokens in the wake of this ongoing “accelerated remediation work.” 

See also: JPMorgan’s Group CISO blasts “dangerous concentration risk” of SaaS

The link has been copied!