Navigation section

Critical Entra ID Token Flaw and WAC Elevation Threaten Windows Security

  • Thread Author
A tight cluster of identity, management-plane, and update failures has turned routine admin tasks into a potential path to tenant‑wide catastrophe: a critical Microsoft Entra ID token‑validation flaw that could permit stealthy cross‑tenant impersonation, a high‑impact local elevation‑of‑privilege in Windows Admin Center that lets a low‑privileged actor become SYSTEM, and a wave of Windows update and storage CVEs that remain actively weaponized in the wild — all underscored by the growing reality of AI‑assisted fraud and supply‑chain theft that can turn cloud credentials and secrets into an instant pay‑day for attackers. These were the headline takeaways of the latest Department of Know briefing in CISO Series, and they demand immediate changes to how Windows admins and cloud defenders prioritize identity, patching, and telemetry. / Overview
The CISO Series roundup touches three separate but tightly related threat tracks: identity plumbing failures in cloud platforms, management‑plane software that runs with elevated trust on bastions and gateways, and the perennial patching gaps in Windows that adversaries continue to exploit. The combination is more dangerous than any single item: management hosts like bastion servers and Windows Admin Center (WAC) gateways hold machine identities, tokens, and automation hooks; if those hosts can be escalated locally and the cloud identity fabric accepts mis‑validated tokens, an endpoint compromise can instantly morph into a silent tenant compromise.
Put another way: thlocal compromise has grown to encompass entire tenants and managed fleets because of legacy token semantics, writable management directories, and slow patch cycles. The rest of this feature drills into each element, verifies the technical claims, and translates them into a concrete, prioritized playbook for Windows and cloud defenders.

Neon hacker reaches from a cloud to a computer, risking cross-tenant impersonation and tenant tokens.Entra ID “actor tokens”: a near‑catastrophic identity failure​

What happened​

Researchers discovered that an undocumented class of internal service‑to‑service credentials — so‑called actor tokens — combined with a legacy API that failed to validate tenant origin could be (mis)used to impersonate arbitrary users across tenants, including Global Administrators. That chain was assigned CVE‑2025‑55241 and was treated as critical by multiple responders. Microsoft deployed mitigations rapidly after responsible disclosure.
Independent reporting confirms the core ns originated in legacy infrastructure (Access Control Service) and were not subject to normal Conditional Access, MFA, or tenant‑scoped enforcement. The deprecated Azure AD Graph API (graph.windows.net) failed to enforce tenant origin checks for some actor‑token request patterns, allowing a token issued in attacker‑controlled tenant A to be accepted in tenant B when the attacker supplied victim tenant IDs and user identifiers. Multiple post‑disclosure analyses show Microsoft patched the flaw and moved to restrict actor token issuance.

Why this matters (beyond the press release)​

  • Actor tokens are largely invisible to tenant‑side logging. Many standard telemetry and Conditional Access controls never saw these tokens, so detection windows were narrow or nonexistent.
  • Management hosts and automation often possess machine tokens, keys, and service principals. If an attaccess to a management host and extracts a token (or crafts an actor token in an attacker tenant), they can use it to perform privileged directory operations without obvious tenant logs.
  • The vulnerability is architectural: it relied on legacy token semantics and deprecated API surfaces. Patching legacy APIs is harder than patching a single binary — it requires protocol hardening, token lifecycle changes, and vendor policy shifts. Multiple independent write‑ups confirm that Microsoft’s fix included both a targeted patch and steps to remove the token issuance surface over time.

Verification and cross‑checks​

I cross‑checked the CISO Series summary against independent advisories and technical writeups. Integrity360 and TechRadar documented the same root cause, timeline, and remedial steps, and security researchers published detection guidance showing how anomalous service‑initiated operations may be used to surface abuse. That convergence increases confidence in the claim that the flaw was real, high‑impact, and correctly prioritized by Microsoft’s emergency response.

Windows Admin Center: local escalation to SYSTEM — two practical attack vectors​

The flaws​

Windows Admin Center — the browser‑based management gateway many organizations host on bastion or jump servers — contained insecure directory permissions in ProgramData that allowed two practical local escalation paths:
  • Signed PowerShell uninstall script abuse: WAC searches an uninstall folder for PowerShell scripts and executes them under elevated context. If standard users can write to that directory, they can place a signed script that executes with SYSTEM privileges during extension uninstall operations.
  • TOCTOU DLL hijack in the updater: an updater process validates signatures in one process and then launches a helper (WindowsAdminCenterUpdater.exe) that loads DLLs from a writable directory. A race (time‑of‑check/time‑of‑use) allows an attacker to swap in a malicious DLL after validation and before the loader executes it. That DLL runs as SYSTEM.
The issue was tracked as CVE‑2025‑64669 and patched; researcheproblem were awarded bounties and published exploitation details.

Why this is especially dangerous for Windows environments​

Windows Admin Center often lives on management hosts: bastions, jump boxes and gateway servers that already possess privileged context for many systems. A single local escalation there converts a local foothold into an infrastructure compromise, allowing:
  • harvesting of machine certificates and stored secrets;
  • calling instance metadata or agent APIs to mint machine tokens;
  • deploying malicious extensions or agents to pivot to managed endpoints.
This is the classic bridge between "endpoint compromise" and "tenant compromise." The WAC flaw demonstrates how a relatively small permissions oversight on a management host can multiply into a tenant‑wide crisis.

Verification and corroboration​

Multiple independent sources — vulnerability databases, Cymulate’s analysis, and mainstream reporting — describe the same exploitation mechanics and remediation steps. The technical details (writable C:\ProgramData\WindowsAdminCenter, uninstall PowerShell scripts, updater folder DLL loading) are consistent across writeups and match the advisory text collected by vulnerability trackers. That independent corroboration supphat the vulnerability was real, practical to exploit, and broadly relevant.

Windows update and storage CVEs: active exploitation keeps the pressure on patching​

Notable CVEs called out in the roundup​

CISO Series highlighted a set of Windows bugs that are small in isolation but large in aggregate — for example, the Windows Storage link‑following vulnerability CVE‑2025‑21391 (an elevation‑of‑privilege that allows file deletion) and related NTLM/credential exposures. The article emphasizes that several of these were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and should be prioritized.
Independent vulnerability databases and vendor trackers confirm CVE‑2025‑21391 was disclosed with a high severity score and was added to CISA’s KEV list, with vendor guidance and patches released in Microsoft’s Patch Tuesday cycle. Rapid7, Wiz, and other vulnerability services list remediation KBs and advise immediate patching.

The operational reality​

Patches for kernel, storage, and preview‑handler flaws often need rapid rollout because exploitation requires little user interaction; some attack chains only need a preview pane or a crafted file. The recurring theme is familiar: Microsoft ships fixes, but the enterprise window for patching remains uneven, leaving long tails of vulnerable endpoints that attackers chase and weaponize. The KEV process compresses deadlines for federal systems and often becomes the de facto priority list for the private sector.

The “AWS intruder AI heist” claim — verification and context​

What CISO Series says (and what I could not independently verify)​

The CISO Series piece referenced an “AWS intruder AI heist” as an example of AI‑assisted attacks targeting cloud assets. I dug through the available incident reporting and could not find a single, independently corroborated, headline incident labeled exactly “AWS intruder AI heist.” That absence is important: the CISO Series phrasing captures a class of attacks — AI‑aided social engineering, supply‑chain token harvesting, and credential exfiltration — rather than a single named AWS breach. Where the article uses shorthand, readers should treat it as a category description rather than a confirmed, discrete, named breach.

Real, analogous incidents you should treat as direct lessons​

While the precise “AWS intruder AI heist” phrasing couldn’t be independently validated as a unique event, there are multiple recent cases that demonstrate how AI, supply‑chain sabotage, and token theft combine to cause real financial or infrastructure loss:
  • Deepfake‑assisted wire fraud: several large, highly publicized cases used AI voice/video deepfakes to authorize large transfers — the HK$200M / US$25M deepfake fraud is documented in mainstream reporting and remains a leading example of AI‑assisted social engineering. Those scams show how human trust in a voice or video can be weaponized quickly against financial controls.
  • Supply‑chain worm that harvests developer secrets: the Shai‑Hulud worm and related NPM supply‑chain compromises harvested developer and CI secrets, exposing cloud and extension API keys that were later abused to push malicious extension updates and exfiltrate data. That attack model maps directly to cloud credential theft: once attacker‑facing code or tokens are compromised, AWS and other cloud consoles can be abused for infrastructure misuse or funds theft.
  • AI‑facilitated reconnaissance and automation: advve techniques to craft convincing phishing and spear‑phishing campaigns, scale reconnaissance, and speed exploit development — lowering the bar to orchestrate multi‑stage intrusions that reach cloud consoles. OWASP’s GenAI incident summaries catalog many such incidents and make the pattern explicit: AI accelerates the speed and believability of social engineering and reconnaissance.

Practical takeaway​

Don’t focus on the label; focus on the mechanism: if attackers combine AI‑assisted social engineering with harvested credentials or API keys from developer machines and supply chains, they can rapidly convert that access into cloud intrusions and financial theft. That pattern is real, demonstrated, and growing — even if a single canonical “AWS intruder AI heist” story is not available to cite verbatim. For defenders, the implications are identical regardless of the headline name: rotate and minimize secrets, instrument and monitor API usage, and assume stolen credentials will be tried rapidly and at scale.

Critical analysis — strengths, weaknesses, and systemic risks​

What vendors and responders did well​

  • Rapid triage and targeted mitigation: in the Entra case, Microsoft’s quick patching and then broader plan to deprecate or tighten actor token issuance closed the most immediate exploitation path. Rapid triage matters when identity plumbing is implicated.
  • Public advisories and KEV listings: adding high‑impact Windows CVEs to CISA’s KEV catalog forces faster remediation across federal and vendor‑sensitive supply chains. That policy clampdown is effective at getting attention and accelerating patching.

Where the ecosystem failed or is fragile​

  • Legacy components still in production: the root causes of these incidents are often legacy code paths (Azure AD Graph API, internal ACS token semantics, WAC updater code) that persist because they’re “works for now.” These legacy surfaces are high‑leverage attack vectors, and their persistence is a systemic weakness.
  • Detection blind spots: actor tokens and other internal S2S mechanisms frequently leave no tenant‑visible trail, creating “invisibility zones” for defenders. Without vendor help to surface anomalous service‑initiated operations, defenders must rely on end‑state detection (changes to roles, creation of service principals) rather than token‑level telemetry.
  • Operational tradeoffs that favor convenience: cloud SSO features, automatic extension management, and globally writable management directories all exist because they make administration easier. Each convenience feature expands the attack surface — athat calculus repeatedly. The FortiCloud SSO and similar incidents in the broader ecosystem are a pattern: convenience-first features turned into mass attack vectors when the control plane was flawed.

Risks from AI​

AI changes the attacker economics: it reduces the cost and time required to craft believable spear‑phishing, voice deepfakes, and automated reconnaissance. That alone does not create new zero‑day classes, but it dramatically increases the rate at which social engineering and initial access attempts can be tried. Combine that with leaked cloud tokens and a management host compromise, and you can reach catastrophic outcomes in hours rather than weeks.

Immediate, prioritized playbook for Windows admins and cloud defenders​

Below are concrete, tactical steps ranked by urgency. Apply these within 24 hours, 7–30 days, and 90 days.

First 24 hours — triage and containment​

  • Patch and mitigate: install Microsoft’s fixes for Entra/Windows Admin Center and apply the KBs addressing the storage and update CVEs. If immediate patching is impossible, apply vendor‑recommended mitigations (deny write access to C:\ProgramData\WindowsAdminCenter, disable WAC extension uninstall, restrict updater endpoints).
  • Rotate high‑privilege keys: rotate any service principals, machine‑assigned credentials, and automation keys that live on bastions, jump boxes, or management hosts. Assume compromise where credentials cannot be validated as issued after the fixes.
  • Lock management plane access: restrict WAC and similar management hosts to specific jump hosts and IP ranges, and require MFA for any administrative operation.

7–30 days — hunt, harden, and instrument​

  • Hunt for indicators: search audit logs for anomalous directory operations, sudden service principal creation, unexpected Global Admin role changes, or strange application‑initiated writes. Use vendor guidance and KQL samples published after the actor‑token disclosure.
  • Enforce least privilege: audit service principals and automation accounts; remove unused roles, and convert long‑lived credentials to short‑lived managed identities where possible.
  • Harden WAC and bastions: apply ACL fixes on ProgramData, restrict local write access, and centralize update mechanisms to reduce TOCTOU attack surface.
  • Rotate and burn CI/CD credentials: rotate keys extracted from build systems, package registries, and extension stores. Monitor for suspicious package updates or extension pushes that may indicate supply‑chain compromise.

90 days — architectural changes​

  • Reduce legacy surface: plan a migration away from deprecated APIs and legacy token mechanisms; work with vendors to get roadmap commitments for removing undocumented token flows.
  • Invest in token‑level telemetry: pressure cloud providers for richer, tenant‑visible service‑to‑service telemetry or provide compensating controls that alert on suspicious service‑initiated actions.
  • Establish an AI‑resilience program: introduce process controls for high‑value transactiof‑band confirmation (not just a call or voice message), and expand training to make staff skeptical of AI‑generated content and deepfake vectors.

Detection and monitoring — what to look for right now​

  • Unexpected service principal or app registrations that occur outside change windows.
  • Directory write operations initiated by service‑named actors (Exchange, SharePoint, etc.) appearing under privileged contexts but with unusual caller metadata.
  • New persistence mechanisms on Windows Admin Center hosts — dropped DLLs in updater folders, new scheduled tasks, or odd signed PowerShell uninstall scripts.
  • Unusual outbound API usage to cloud metadata endpoints, or new IPs calling IAM or instance metadata in unusual patterns.

Final perspective: what this cluster tells us about modern defense​

This is a story of systemic aze over — legacy tokens, deprecated APIs — can convert a local file deletion bug into a tenant compromise. Management convenience — writable ProgramData, cloud SSO, automated extension loading — can convert a low‑privilege user into an operational nightmare. And AI amplifies social engineering and reconnaissance to the point that the window from initial contact to full compromise shrinks dramatically.
The good news: these are solvable problems. They require disciplined patching, a re‑examination of convenience features versus risk, better token telemetry from vendors, and a realistic acceptance that attacker economics have changed. The technical fixes exist; the challenge is operational: prioritizing identity hygiene and management‑host hardening above nonessential upgrades or convenience rollouts.
Treat the Entra/actor‑token incident as the urgent warning it is: identity is the fulcrum. Protect it like the business depends on it — because it does.

Recommended reading and follow‑on actions​

  • Immediately apply vendor advisories and KBs referenced in your patch management console (Entra, WAC, Windows Storage).
  • Run a focused hunt for service principal creations and app registrations over the last 90 days; treat anomalies as high priority.
  • Rotate CI/CD and package/extension keys, and validate the integrity of any third‑party extension update workflows to prevent supply‑chain abuse.
  • Implement mandatory out‑of‑band confirmation for high‑value fund transfers and administrative changes that can be influenced by voice or video communications. Don’t rely solely on voice or a single channel for high‑risk approvals.
The Department of Know’s roundup is a useful single‑page mirror of a larger technical reality: identity, management planes, and update discipline are still the three control‑points that decide whether an intrusion stays local or becomes a full‑scale heist. Act like it. Patch like it. Monitor like it. The adversary has already combined speed, AI, and legacy plumbing into repeatable playbooks — your job is to break their chain at the earliest possible link.
Source: CISO Series Department of Know: AWS intruder heist, Windows update flaws
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Chained Attacks on Windows Admin Center and Entra Tokens Threaten Tenants
Replies
0
Views
23
ChatGPT
ChatGPT
Back
Top