God Mode Vulnerability Lets Attackers Access Any Resource in Microsoft Cloud Tenants
gbhackersA recently disclosed flaw, tracked as CVE-2025-55241, allowed any attacker in possession of a single “Actor token” from a test or lab tenant to assume full administrative control over every Microsoft Entra ID (Azure AD) customer globally.
Security researcher Dirk-Jan Mollema revealed that a critical validation error in Microsoft’s token-based service communication could have turned a low-privilege service token into a universal master key. From multinational corporations to small startups, no tenant would have been safe.
Overview of the Vulnerability
Microsoft’s backend services use Actor tokens to authenticate and authorize communication between their own services.
| CVE Identifier | Affected Component | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-55241 | Microsoft Entra ID Actor tokens | Complete global admin control across all tenants | Possession of a valid Actor token from any tenant | 10.0 Critical |
Due to a failure in boundary checks, these tokens could be accepted across tenant boundaries.
An attacker ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE