A critical vulnerability in Windows Server 2025 that enables attackers to compromise any user in Active Directory, including highly privileged accounts.

Dubbed “BadSuccessor,” this attack exploits a feature called delegated Managed Service Accounts (dMSA) and works by default in environments with at least one Windows Server 2025 domain controller.

Akamai researcher Yuval Gordon, who discovered the vulnerability, revealed that the attack is “trivial to implement” and requires only minimal permissions that many users already possess.

According to Akamai’s research, 91% of examined environments contained users outside the domain admins group with sufficient permissions to execute this attack.

“By abusing dMSAs, attackers can take over any principal in the domain,” Gordon explained. “All an attacker needs to perform this attack is a benign permission on any organizational unit (OU) in the domain a permission that often flies under the radar”.

BadSuccessor Attack

The vulnerability stems from how Windows Server 2025 handles dMSA migrations. When a dMSA is created to replace a legacy service account, it inherits the permissions of the superseded account.

BadSuccessor attack

The attack exploits this by manipulating two specific attributes on a dMSA object to simulate a completed migration, effectively impersonating any target user.

What makes BadSuccessor particularly dangerous is that attackers don’t need any permissions on the target account itself. By controlling a dMSA and setting the “msDS-ManagedAccountPrecededByLink” attribute to point to a high-value target like a Domain Admin, the attacker can authenticate as the dMSA and inherit all the target’s permissions and group memberships.

“With just two attribute changes, a humble new object is crowned the successor and the KDC never questions the bloodline; if the link is there, the privileges are granted,” Gordon noted in Akamai’s detailed report.

Even more concerning, researchers discovered the attack can also extract encryption keys from target accounts, allowing attackers to authenticate directly as those users.

Microsoft has acknowledged the vulnerability but classified it as “Moderate severity,” stating it does not warrant immediate patching. According to Microsoft, the technique requires elevated user permissions to succeed and will be addressed in a future update.

“After thorough investigation, this case has been rated as Moderate severity, which does not warrant immediate servicing,” a Microsoft spokesperson told Forbes.

Akamai researchers disagree with this assessment, arguing that the permissions required are commonly available and often considered benign. Gordon compared the power of this attack to DCSync, a notorious technique used to extract password hashes from domain controllers.

Until a patch is available, organizations should take several defensive measures:

Audit dMSA creation events (Event ID 5137)

Monitor modifications to the msDS-ManagedAccountPrecededByLink attribute (Event ID 5136)

Track dMSA authentication attempts (Event ID 2946)

Identify and restrict permissions to create dMSAs across the domain

Akamai has published a PowerShell script to help organizations identify users with permissions that could enable this attack.

The discovery highlights how seemingly benign permissions can lead to full domain compromise, especially when new features introduce complex authentication paths.

Organizations running Windows Server 2025 should implement monitoring and access restrictions immediately while awaiting an official patch from Microsoft.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!