Which systems are affected by the BadSuccessor vulnerability?

The vulnerability affects Windows Server 2025 environments with at least one domain controller running the new operating system, regardless of whether organizations actively use dMSAs. It exists in the default configuration and affects any Active Directory domain that includes Windows Server 2025 infrastructure with at least one Windows Server 2025 domain controller.

How does the BadSuccessor attack work?

The attack exploits a design flaw in the dMSA migration process, which relies on simple attribute manipulation instead of validation. Attackers manipulate two attributes on dMSA objects: 'msDS-ManagedAccountPrecededByLink' (set to reference any target user or computer account) and 'msDS-DelegatedMSAState' (set to value 2 to indicate completed migration). This allows attackers to authenticate as the dMSA and inherit all the target's permissions and group memberships through a simulated migration process.

What permissions are needed to exploit BadSuccessor?

According to Akamai's analysis, in 91% of examined environments, users outside the domain admins group possessed sufficient permissions to execute this attack. The vulnerability can be exploited by any user with CreateChild permissions on an organizational unit, making it accessible to a much broader range of potential attackers than typical high-privilege exploits.

What additional capabilities does BadSuccessor provide beyond privilege escalation?

Beyond basic privilege escalation, BadSuccessor enables credential compromise. When a dMSA authenticates, it not only inherits the permissions of the superseded account but also gains access to the encryption keys of the original account. This allows attackers to decrypt service tickets and potentially obtain plaintext passwords, meaning they can compromise the actual passwords or encryption keys of targeted accounts, not just impersonate them temporarily.

What defensive measures should organizations implement until a patch is available?

Organizations should implement three key defensive measures: 1) Restrict dMSA Creation Permissions by limiting the permission to create dMSAs to trusted administrators only and removing CreateChild permissions from non-essential accounts; 2) Enhanced Monitoring by deploying comprehensive logging for dMSA-related activities including creation, modification, and authentication events; 3) Permission Auditing using Akamai's released PowerShell script to identify which identities have permissions to create dMSAs and which organizational units are affected.

Advisory

Akamai reports privilege escalation vulnerability in Windows Server 2025 called BadSuccessor

Q: What is the BadSuccessor vulnerability in Windows Server 2025?

BadSuccessor is a privilege escalation vulnerability discovered by Akamai researcher Yuval Gordon that affects Windows Server 2025 Active Directory environments. The vulnerability exploits a design flaw in the newly introduced delegated Managed Service Accounts (dMSA) feature, allowing attackers to compromise any user in Active Directory, including highly privileged accounts like Domain Administrators. Currently, no CVE has been assigned to this vulnerability.

Q: What is Microsoft's response to the BadSuccessor vulnerability?

Microsoft acknowledged the vulnerability after Akamai reported it on April 1, 2025. However, Microsoft classified the issue as moderate severity and indicated it does not meet the threshold for immediate servicing. Microsoft's assessment is based on the requirement that successful exploitation needs specific permissions on dMSA objects, which they consider indicative of already elevated privileges. Microsoft has confirmed they are working on a fix, but no patch is currently available and no timeline has been provided.

Q: Why do security researchers disagree with Microsoft's severity assessment?

Akamai researchers strongly disagree with Microsoft's moderate severity classification, arguing that the vulnerability introduces a previously unknown and high-impact abuse path. They contend that any user with CreateChild permissions on an organizational unit can compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks, making it a much more serious threat than Microsoft's assessment suggests.

published: May 23, 2025

Take action: This advisory is a mess. There is obviosly a real issue in Windows 2025 AD and it is exploitable. Unfortunately, the researchers decided to publish it before any patch is available. If you don't have a Windows 2025 domain controller, don't upgrade until a patch is released and well tested. If you do have a Windows 2025 domain controller, plan an action to limit permissions for dMSA to administrators. Which still may be disgruntled and abuse such power.

Learn More

Akamai researcher Yuval Gordon has uncovered a privilege escalation vulnerability in Windows Server 2025 exposing organizations utilizing Active Directory environments witn Server 2025.

This vulnerability is dubbed "BadSuccessor," and allows attackers to compromise any user in Active Directory, including highly privileged accounts like Domain Administrators, by exploiting the newly introduced delegated Managed Service Accounts (dMSA) feature.

Currently no CVE has been assigned to this vulnerability. It has been reported to Microsoft and acknowledged by the company.

The vulnerability exploits a design flaw in the delegated Managed Service Account feature that was introduced in Windows Server 2025. The migration process in dMSA relies on simple attribute manipulation instad of validation. By controlling a dMSA and setting the "msDS-ManagedAccountPrecededByLink" attribute to point to a high-value target like a Domain Admin, the attacker can authenticate as the dMSA and inherit all the target's permissions and group memberships.

The attack works by manipulating two attributes on dMSA objects:

msDS-ManagedAccountPrecededByLink: Set to reference any target user or computer account
msDS-DelegatedMSAState: Set to value 2 to indicate completed migration

This technique allows any user who controls a dMSA object to control the entire domain through a simulated migration process that requires no actual migration, verification, or oversight.

Beyond basic privilege escalation, the BadSuccessor vulnerability also enables credential compromise: When a dMSA authenticates, it not only inherits the permissions of the superseded account but also gains access to the encryption keys of the original account, enabling attackers to decrypt service tickets and potentially obtain plaintext passwords.

This credential harvesting capability means that attackers can potentially compromise the actual passwords or encryption keys of targeted accounts, not just impersonate them temporarily.

Windows Server 2025 environments with at least one domain controller running the new operating system, regardless of whether organizations actively use dMSAs. The vulnerability exists in the default configuration and affects any Active Directory domain that includes Windows Server 2025 infrastructure with at least one Windows Server 2025 domain controller.

Akamai's analysis revealed that in 91% of examined environments, users outside the domain admins group possessed sufficient permissions to execute this attack.

Akamai reported the findings to Microsoft on April 1, 2025, following which Microsoft classified the issue as moderate severity and indicated it does not meet the threshold for immediate servicing. Microsoft's assessment is based on the requirement that successful exploitation needs specific permissions on dMSA objects, which they consider indicative of already elevated privileges.

Akamai researchers strongly disagree with this severity assessment, arguing that the vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an organizational unit to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks.

Microsoft has confirmed they are working on a fix, but no patch is currently available and no timeline has been provided for resolution. This leaves organizations in a vulnerable state where they must implement their own protective measures while awaiting an official fix.

Until Microsoft releases an official patch, organizations should implement immediate defensive measures:

Restrict dMSA Creation Permissions: Organizations are advised to limit the permission to create dMSAs to trusted administrators only. This involves identifying all principals with CreateChild permissions on organizational units and removing these rights from non-essential accounts.
Enhanced Monitoring: Deploy comprehensive logging and monitoring for dMSA-related activities, including creation, modification, and authentication events. Organizations should configure appropriate SACLs and ensure security information and event management (SIEM) systems are tuned to detect suspicious dMSA activities.
Permission Auditing: Akamai has released a PowerShell script that helps defenders identify which identities have permissions to create dMSAs in their domain and which organizational units are affected, highlighting where the BadSuccessor attack could be executed.

Akamai reports privilege escalation vulnerability in Windows Server 2025 called BadSuccessor

Read More
BeyondTrust reports critical vulnerability in it's appliances
Commvault developers warn of critical flaw, urge immediate …
Vulnerability in Apache Tomcat actively exploited
Critical remote code execution flaw reported in pgAdmin4
Ivanti reports two flaws in Connect Secure, Policy …