Archetyp Links

Subscribe to Canaltech's newsletter and receive news and reviews about firsthand technology. Security experts have found critical vulnerability in the Microsoft access system enters ID, a breach that may have allowed cybercriminals access to any virtual tenant.With global administrator access, attackers could access accounts without being detected, leaving no trail of unauthorized access. According to Dirk-Jan Mollema, who discovered the failure, it consisted of two elements: a legacy service known as author tokens and a privilege elevation bug investigated under the title CVE-2025-55241. Explaining the vulnerability Canaltech is on WhatsApp!Enter the channel and follow news and technology tips WhatsApp Continues after advertising Author tokens are unocued and unlawful authentication tokens used by Microsoft services to pass users among service tenants.They are issued by a legacy system called Access Control Service (ACS) and were originally created for service-service authentication (S2S). Because these tokens are not verified by common security controls, they do not need login and are valid for 24 hours, unauthorized access could be obtained without detection.Mollema tested vulnerability by generating tokens using tenant IDs and user identifiers, publicly available information on the internet.With this, he was able to access sensitive data and modify settings in environments of other organizations, such as creating users, changing passwords and more, without generating any logs to the victim. This, according to the researcher, comes from the use of API AZURE AD GRAPH, an obsolete system that is slowly discontinued by Microsoft.He followed by accepting tenants' tokens and applying them to others, skipping security checks, conditional access policies and authentication checks.Although there were no cases of invasion through vulnerability, Mollema proved that it would be possible to explore it for malicious purposes. The expert reported the problem to Microsoft, who admitted the breach in mid -July and corrected it with patches two weeks later.The failure was known as CVE-2025-55241 and was rated 10/10 (critical), being completely modified last September 4.Both API AZURE AD GRAPH and tokens used are being discontinued by Microsoft. Also read: Video |Emoji in the password: security genius 😇 or nightmare when it comes to logging?😈 Continues after advertising Source: Dirk-Jan Mollema