Perfect 10 flaw in Microsoft Entra ID risking full company takeover
A Digital Master Key: “Perfect 10” Flaw in Microsoft Entra ID Could Have Allowed Total Takeover of Any Company
KATHMANDU, September 22, 2025 – Microsoft has patched a catastrophic vulnerability in its core identity service, Microsoft Entra ID (formerly Azure Active Directory), that could have allowed an attacker to untraceably impersonate any user, including top-level Global Administrators, across virtually any organization worldwide.
The vulnerability, tracked as CVE-2025-55241, was assigned the maximum possible CVSS severity score of 10.0 out of 10.0, signifying a flaw of the highest possible criticality. While Microsoft has confirmed the issue has been fixed and there is no evidence of it being exploited by hackers, the discovery reveals a near-miss of what could have been a global cybersecurity disaster.
For the thousands of businesses in Nepal that rely on Microsoft 365 and Azure for everything from email (Exchange) and file sharing (SharePoint) to their entire cloud infrastructure, this flaw represented a “god mode” vulnerability that could have led to a complete and silent compromise.
The “God Mode” Flaw Explained: How It Worked
Discovered by security researcher Dirk-jan Mollema, the flaw was devastatingly effective. In simple terms, it allowed an attacker to use an access token generated in their own, harmless test environment to gain the highest level of administrative access inside any other target company’s Microsoft tenant.
The attack bypassed all standard defenses:
- Multi-Factor Authentication (MFA): The impersonation completely sidestepped MFA protections.
- Conditional Access Policies: It ignored location-based and device-based security rules.
- No Traces Left: Crucially, the attack left no logs, meaning a victim would have been completely unaware of the breach.
An attacker impersonating a Global Administrator could have done anything: create new user accounts, grant themselves full access to all company data, read any employee’s email, access sensitive files, and even take control of the organization’s entire Azure cloud infrastructure—all without being detected.
The Culprit: A Ghost of APIs Past
The root cause of this critical flaw was not in Microsoft’s modern systems but in a legacy component: the Azure AD Graph API. This older API, which Microsoft officially deprecated in 2019 and began retiring in August 2025, failed to properly validate where an access token came from. It mistakenly trusted tokens from any tenant, creating the cross-company vulnerability.
This serves as a powerful cautionary tale for the tech community about the immense risks associated with maintaining and using legacy systems long after they have been superseded by modern, more secure alternatives like the Microsoft Graph API.
A Wave of Cloud Security Alarms
While CVE-2025-55241 is a standout, it is part of a recent and troubling trend of severe security flaws being discovered across major cloud platforms. In recent weeks, researchers have disclosed numerous other high-impact vulnerabilities and misconfigurations in both Azure and Amazon Web Services (AWS). These range from flaws allowing cross-tenant data access to simple misconfigurations leaking application credentials, all with potentially disastrous consequences.
While Microsoft has patched this specific issue and no action is required from customers, this “perfect 10” vulnerability is a sobering reminder of the immense trust placed in cloud identity providers. It highlights the constant, high-stakes battle being waged behind the scenes to secure the digital infrastructure that powers the modern world.
