An unpatched vulnerability in Windows Server 2025 poses a significant risk to Active Directory (AD) users, allowing potential attackers to escalate privileges and impersonate any user. The flaw, identified by Akamai researcher Yuval Gordon, stems from a defect in the permission-handling of a new type of service account known as delegated Managed Service Accounts (dMSA). The issue persists in the default configuration of the server and has raised alarm due to its simplicity in exploitation.
Gordon’s report highlights that the vulnerability enables a technique termed ‘BadSuccessor,’ which effectively allows malicious actors to target any Active Directory user, irrespective of whether their organization’s domain is employing dMSAs. This flaw is a consequence of how existing non-managed service accounts are transitioned into dMSAs; following migration, the dMSA acquires all permissions from the original account—a process that has been deemed problematic from a security standpoint.
While Akamai promptly reported the flaw to Microsoft, the tech giant categorized the issue as ‘moderate severity’ and stated that it does not currently warrant immediate fixes. Consequently, organizations are urged to take proactive measures to safeguard against potential exploits, as reliance on Microsoft’s upcoming patch may expose them to attacks in the interim.
Experts caution that this vulnerability represents a critical security challenge, given that the technique can be leveraged not only on existing dMSA accounts but also newly created ones. As Active Directory continues to be a prime target for cyber adversaries, organizations are being advised to strictly manage permissions and monitor their systems closely to mitigate risks associated with this evolving threat.