A newly discovered privilege escalation vulnerability in Windows Server 2025 poses a significant threat to organizations utilizing Active Directory (AD), allowing attackers to potentially compromise any user, including Domain Admins. The vulnerability, identified as the ‘BadSuccessor’ attack, exploits features meant to enhance security through the use of delegated Managed Service Accounts (dMSAs), introduced with Windows Server 2025.
Akamai researcher Yuval Gordon explained that the BadSuccessor attack is alarmingly simple to execute and operates under default configurations. It leverages the automatic privilege inheritance from legacy accounts to dMSAs, hinging on a single attribute that the Key Distribution Center (KDC) uses to determine which legacy account a dMSA is substituting. This creates an avenue for abuse, as the necessary permissions typically required to execute such migrations can be circumvented.
During their investigation, researchers exploited the ability to create dMSAs without needing privileged access, discovering that any user with ‘Create all child objects’ permissions in an organizational unit can generate new dMSAs. By manipulating specific attributes, attackers can effectively inherit the privileges of any existing account, raising serious concerns about AD security across various organizations.
The implications of this vulnerability are profound, as it has the potential to affect a vast majority of organizations. Gordon noted, ‘91% of the environments we examined had users outside the Domain Admins group with the required permissions to perform this attack.’ Until Microsoft releases a patch, which is currently being developed, organizations are urged to restrict dMSA creation permissions to trusted administrators and to implement logging and monitoring measures to detect possible vulnerabilities.
For more detailed technical information, researchers recommend consulting the blog on Akamai’s findings, which includes a script for organizations to assess their current security standing regarding dMSA permissions.