An alarming security vulnerability has been identified within Windows Server 2025, potentially endangering organizations that utilize Active Directory (AD). The flaw, discovered by Akamai researcher Yuval Gordon, involves a new feature known as delegated Managed Service Accounts (dMSAs), which could enable malicious actors to gain unrestricted access to any user account in an organization’s AD, even with minimal access initially granted.
The vulnerability exploits a critical oversight in the process of transitioning between dMSAs. By simply altering two specific attributes on a dMSA object, attackers can simulate the migration of account permissions from one user to another. This method falsely convinces the system that a legitimate migration has taken place, consequently empowering the attacker’s new dMSA with all the permissions of the targeted user—potentially even including those of highly privileged accounts like Domain Admins. A full explanation of this technique, now called the BadSuccessor attack, is available in the original report.
Worryingly, Akamai’s analysis reveals that the majority of tested environments—91%—already provided users outside the domain admins group with the necessary permissions to execute this attack. This raises urgent concerns for organizations relying on Active Directory, as the ubiquity of such configurations indicates a vast potential for compromise.
While Microsoft has acknowledged the issue—following a report submitted on April 1, 2025—there is presently no available patch. Microsoft’s assessment labels the flaw as of moderate severity; however, Akamai researchers argue that this classification undermines the actual risks. The ability to create a dMSA often accompanies benign permissions, which could lead to full domain compromise and operational impacts likened to those of critical attacks such as DCSync. To illustrate the severity of the situation, researchers urged organizations to take proactive measures, including monitoring dMSA objects and auditing permissions within Organizational Units. As adoption rates for Windows Server 2025 increase, it becomes essential for organizations to prioritize the understanding and mitigation of risks tied to its new functionalities.