Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (9/22/2024)

Posted on 22 Sep 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants
  • EDR-Freeze: New Tool Exploits Windows Error Reporting to Suspend Antivirus and EDR
  • How can Netizen help?

Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants

Microsoft has patched a critical vulnerability in Entra ID (formerly Azure Active Directory) that could have allowed attackers to impersonate any user, including Global Administrators, across all tenants worldwide.

The flaw, tracked as CVE-2025-55241, received the maximum CVSS score of 10.0. Security researcher Dirk-jan Mollema reported the issue on July 14, 2025. It was patched by Microsoft on July 17, with the company noting that there is no evidence of active exploitation and no customer action required.

The issue stemmed from the use of legacy actor tokens issued by the Access Control Service (ACS) in combination with a validation failure in the deprecated Azure AD Graph API (graph.windows.net). Because the API did not properly validate the tenant source of tokens, attackers could create tokens in their own environments and use them to impersonate Global Administrators in other tenants.

Once in place, an attacker could access Entra ID user information, group and role assignments, application permissions, tenant settings, and even device information and BitLocker keys. The lack of API-level logging meant exploitation could take place without leaving a trace.

The impersonation of a Global Administrator could have resulted in complete compromise of an Entra tenant. Attackers could create new accounts, grant themselves permissions across Azure subscriptions, exfiltrate sensitive data from services such as SharePoint Online and Exchange Online, and bypass security controls like multi-factor authentication and Conditional Access. Cloud security firm Mitiga noted that the flaw effectively allowed for a silent full-tenant compromise.

Microsoft classified the flaw as an instance of high-privileged access, where an application or service can impersonate users without proof of user context. The company reminded customers that the Azure AD Graph API was officially retired on August 31, 2025, and urged all applications to migrate to Microsoft Graph. Applications that continue relying on the legacy API will stop functioning after early September 2025.

The Entra ID flaw comes amid a wave of cloud security incidents and disclosures. Recent findings have included OAuth misconfigurations in Entra ID, OneDrive Known Folder Move exploitation, the exposure of Azure AD application credentials in appsettings.json files, and cross-tenant API connection abuse in Azure Resource Manager. Other reports have shown how misconfigurations in AWS and Azure identity systems allow attackers to persist in cloud environments without deploying malware, simply by abusing trust policies, temporary credentials, or misconfigured IAM roles.

Although the patch is already in place, CVE-2025-55241 highlights how legacy systems can undermine cloud security at scale. Organizations should review their applications for dependencies on deprecated APIs, monitor token usage closely, and ensure that third-party and internal applications are aligned with modern identity services. Regular audits of cloud configurations and service dependencies remain an important part of reducing exposure, particularly as attackers continue to focus on identity systems as the most direct route to compromise.

EDR-Freeze: New Tool Exploits Windows Error Reporting to Suspend Antivirus and EDR

A researcher posting under the handle Zero Salarium has released details of a proof-of-concept tool called EDR-Freeze, which can suspend Endpoint Detection and Response (EDR) and antivirus processes, effectively putting them into a coma state without crashing the system.

The technique does not rely on the common Bring Your Own Vulnerable Driver (BYOVD) approach, which requires attackers to install and execute third-party drivers. Instead, EDR-Freeze abuses a feature already present in Windows: the MiniDumpWriteDump function used by the Windows Error Reporting service.

MiniDumpWriteDump is designed to create a snapshot of a process for debugging purposes. To ensure consistency, it suspends all threads in the target process while the dump is written. Zero Salarium’s approach turns that behavior into an advantage: by forcing a race condition during the dump, the target process can be left suspended indefinitely.

The method uses WerFaultSecure.exe, a Windows component that runs with Protected Process Light (PPL) protection at the WinTCB level, to trigger MiniDumpWriteDump against security processes. By suspending WerFaultSecure at the precise moment it suspends the target, the victim process remains frozen without being resumed.

The tool also takes advantage of the ability to run WerFaultSecure with elevated protection using CreateProcessAsPPL, while OpenProcess with PROCESS_SUSPEND_RESUME privilege and the undocumented NtSuspendProcess API are used to suspend and manage processes.

EDR-Freeze automates the sequence of actions required to put a target process into a coma state. It requires two parameters: the process ID (PID) of the target program and the duration for which it should be suspended.

In a proof-of-concept demonstration, the researcher successfully suspended MsMpEng.exe, the Windows Defender antimalware process, for several seconds on Windows 11 24H2. During that time, monitoring and detection functions were paused, allowing potential high-risk actions to occur without interruption.

The GitHub project hosting the tool (https://github.com/TwoSevenOneT/EDR-Freeze) provides the code and usage examples.

This research highlights a different approach from the increasingly common BYOVD attacks. BYOVD requires shipping and loading vulnerable drivers, which creates instability and leaves more forensic traces. By contrast, EDR-Freeze exploits functionality already built into Windows, making the attack surface harder to eliminate.

For defenders, the key detection opportunity is in WerFaultSecure execution parameters. If the service is observed targeting critical processes such as LSASS, antivirus engines, or EDR agents, it should be treated as highly suspicious and investigated immediately.

EDR-Freeze is currently positioned as a red team and research tool, but it underscores how attackers continue to look for creative ways to blind or disable security tools without crashing systems. Monitoring process creation events involving WerFaultSecure, CreateProcessAsPPL, and unusual use of PROCESS_SUSPEND_RESUME privileges will be critical for detection.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.