Cyber Heads Up: “BadSuccessor”—A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025

Posted: | Assura Team
Posted in: Resources » Cyber Heads-up

Overview:

Akamai researchers have identified a significant privilege escalation vulnerability in Windows Server 2025, termed “BadSuccessor.” This flaw exploits the newly introduced delegated Managed Service Accounts (dMSAs) feature, allowing attackers to impersonate any Active Directory (AD) user, including domain administrators, without altering existing accounts or group memberships.

Key Details:

  • Affected Feature: Delegated Managed Service Accounts (dMSAs) in Windows Server 2025.
  • Attack Mechanism: By creating a dMSA and setting specific attributes (msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState), an attacker can simulate a migration from any existing user account. The Key Distribution Center (KDC) then grants the dMSA the privileges of the targeted account, effectively allowing full impersonation. 
  • Prevalence: In 91% of assessed environments, non-administrative users possessed the necessary permissions to execute this attack. 
  • Microsoft’s Response: Microsoft has acknowledged the vulnerability but classified it as “moderate” severity, indicating that it does not meet the threshold for immediate patching. 

Impact:

Exploitation of BadSuccessor can lead to complete domain compromise, granting attackers the ability to:

  • Access sensitive data across the network.
  • Gain privileged access to critical systems and endpoints.
  • Move laterally within the network without restriction.

Notably, this attack does not require any interaction with the targeted account, making it stealthy and difficult to detect.

Recommendations:

Until an official patch is released, organizations should take the following proactive measures:

  1. Audit Permissions: Identify and restrict users with CreateChild permissions on Organizational Units (OUs), as these permissions can be exploited to create dMSAs.
  2. Monitor dMSA Creation: Implement monitoring for the creation of dMSAs and changes to their attributes, specifically msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState.
    The “Audit Directory Service Changes” logging policy must be configured to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids – 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
  3. Use Detection Tools: Leverage Akamai’s PowerShell script Get-BadSuccessorOUPermissions.ps1 to enumerate principals with permissions to create dMSAs and identify affected OUs. 
  4. Restrict dMSA Usage: Limit the use of dMSAs to necessary scenarios and ensure they are created and managed by trusted administrators only.
  5. Stay Informed: Keep abreast of updates from Microsoft regarding patches or additional guidance on this vulnerability.

Conclusion:

The BadSuccessor vulnerability highlights how even newly introduced features in trusted systems like Active Directory can unintentionally introduce high-impact risks. As organizations evaluate their exposure, it’s critical to not only implement technical mitigations but also revisit how permissions, account creation, and directory monitoring are handled across the enterprise.

At Assura, we help our clients stay ahead of emerging threats like this one through proactive services including SOC-as-a-Service, Penetration Testing, and Vulnerability Management-as-a-Service (VMaaS). For organizations needing guidance navigating complex privilege models or enforcing security policies in evolving environments like Windows Server 2025, our Virtual Information Security Officer (VISO) services are here to help.

If you’re unsure whether your environment is exposed to BadSuccessor or similar privilege escalation vectors, now is the time to take a closer look.

References:

  1. Akamai Security Research – Abusing dMSA for Privilege Escalation in Active Directory –https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
  2. Ori David’s LinkedIn Post (Akamai Researcher who discovered BadSuccessor) –https://www.linkedin.com/posts/oridavid_the-badsuccessor-attack-abusing-a-new-active-activity-7202341015971784704-1rLR
Back to Resources