Kevin BeaumontDirk-jan Mollema, who discovered Zerologon (the most impactful on prem Active Directory vulnerability ever), has discovered an Azure Active Directory (EntraID) vulnerability which allowed anybody to take over any tenant - access any Microsoft 365 resource, basically. CVE-2025-55241
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
Edit: Tom Tervoort discovered ZeroLogon and Dirk-jan expanded upon it.
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise every Entra ID tenant in the world (except probably those in national cloud deployments). If you are an Entra ID admin reading this, yes that means complete access to your tenant. The vulnerability consisted of two components: undocumented impersonation tokens that Microsoft uses in their backend for service-to-service (S2S) communication, called “Actor tokens”, and a critical vulnerability in the (legacy) Azure AD Graph API that did not properly validate the originating tenant, allowing these tokens to be used for cross-tenant access.
golem
Joshua Small
Martin Seeger
Tanawts
rx13 
