CVE-2025-55241

Critical

Published: 04 September 2025

Published

04 September 2025

Modified

24 September 2025

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0017 37.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55241 is a critical-severity Improper Authentication (CWE-287) vulnerability in Microsoft Entra Id. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-55241 by requiring timely flaw remediation and patching of the Azure Entra ID elevation of privilege vulnerability.

IA-5 Authenticator Management good match

prevent

Addresses improper authentication (CWE-287) by enforcing secure management, validation, and protection of authenticators such as actor tokens exploited in this vulnerability.

AC-6 Least Privilege good match

prevent

Limits the impact of privilege escalation to global admin by enforcing the principle of least privilege on accounts and associated tokens in Entra ID tenants.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1078.004 Cloud Accounts Stealth

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1550.001 Application Access Token Lateral Movement

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.

attack.mitre.org →

Why these techniques?

Direct unauthenticated remote privilege escalation via improper actor token handling to global admin in Entra ID maps to exploitation for priv-esc, cloud valid accounts abuse, and application access token misuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Azure Entra ID Elevation of Privilege Vulnerability

Deeper analysisAI

CVE-2025-55241 is an Elevation of Privilege vulnerability affecting Azure Entra ID. Published on 2025-09-04T23:15:32.960, it carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).

Unauthenticated attackers (PR:N) can exploit the vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables privilege escalation with a changed scope (S:C), resulting in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). Research indicates attackers can leverage actor tokens to obtain global admin access in Entra ID tenants.

Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241 details mitigation and patching information. Independent analysis at https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/ provides further technical insights into the actor token exploitation technique.

Details

CWE(s): CWE-287

Affected Products

microsoft

entra id

all versions

CVEs Like This One

CVE-2025-59246Same product: Microsoft Entra Id

CVE-2026-24305Same product: Microsoft Entra Id

CVE-2026-35431Same product: Microsoft Entra Id

CVE-2026-26119Same vendor: Microsoft

CVE-2026-24294Same vendor: Microsoft

CVE-2026-26128Same vendor: Microsoft

CVE-2025-53778Same vendor: Microsoft

CVE-2025-54918Same vendor: Microsoft

CVE-2025-49706Same vendor: Microsoft

CVE-2025-55234Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241
Vendor Advisory · secure@microsoft.com
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
Technical Description, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0