The elevation of privilege (EoP) vulnerability, tracked as CVE-2025-55241, was addressed over the summer and disclosed earlier this month; but there’s no indication the flaw — which initially received a CVSS score of 9.0 but was raised to a maximum 10.0 this week — was exploited in the wild. That said, according to the researcher who discovered the flaw, the vulnerability could have been used for devastating attacks and importantly highlights a lack of security around key components of Azure’s authentication stack.
According to Dirk-jan Mollema, security researcher and founder of Dutch infosec consultancy Outsider Security, the vulnerability stems from an authentication failure in the Azure AD Graph API. The service, which is scheduled for deprecation this year, is a REST API that enables users to access Azure cloud resources, including Entra ID (formerly known as Azure Active Directory or Azure AD).
Keep reading this article in Dark Reading, a DCN partner site
