A significant security flaw has emerged. It affects Windows Server 2025. This vulnerability allows privilege escalation. Attackers could compromise any user in Active Directory (AD). This is a critical concern for many organizations.
Understanding the dMSA Vulnerability
This attack exploits a new feature. It is called delegated Managed Service Account (dMSA). Microsoft introduced dMSA in Windows Server 2025. It was meant to help with Kerberoasting attacks. However, a flaw now exists. Security researchers at Akamai discovered it.
The vulnerability works with default settings. It is also “trivial to implement.” This makes it especially dangerous. Akamai named this attack technique BadSuccessor.
Widespread Impact on Organizations
This issue likely affects most organizations. Many companies rely on Active Directory. Akamai examined many environments. In 91% of them, users outside the domain admins group had permissions. These permissions were enough to perform this attack. This highlights a widespread risk.
How dMSA Functions and the Core Problem
dMSA allows users to create standalone accounts. It also lets them replace existing standard service accounts. When a dMSA supersedes an account, authentication via the old password is blocked. The request then goes to the Local Security Authority (LSA). LSA authenticates using dMSA. The dMSA gains access to everything the previous account could access in AD. During migration, dMSA learns device usage. It moves from all existing service accounts automatically.
The problem arises during the dMSA Kerberos authentication. The Privilege Attribute Certificate (PAC) is embedded. This happens in a ticket-granting ticket (TGT). This TGT is issued by a Key Distribution Center (KDC). The PAC includes the dMSA’s security identifier (SID). It also includes SIDs of the superseded account. All associated group SIDs are also present.
The BadSuccessor Attack Explained
This permissions transfer creates a risk. It opens the door to privilege escalation. Attackers can simulate the dMSA migration process. This allows them to compromise any user. Even domain administrators can be targeted. Attackers gain similar privileges. This effectively breaches the entire domain. This can happen even if an organization’s Windows Server 2025 domain does not use dMSAs.
The “simulated migration” technique is notable. It does not need any permissions over the superseded account. The only requirement is write permissions. These must be on the attributes of any dMSA. Once a dMSA is marked as “preceded by” a user, the KDC assumes a legitimate migration. It then grants the dMSA every permission. These are permissions the original user had. The dMSA becomes its “rightful successor.”
Microsoft’s Response and Mitigation
Akamai reported these findings to Microsoft. The report was submitted on April 1, 2025. Microsoft classified the issue as “moderate” in severity. They stated it did not meet the bar for immediate servicing. This is because successful exploitation needs specific permissions. An attacker needs permissions on the dMSA object. This suggests an elevation of privileges is involved.
However, a patch is currently being developed. There is no immediate fix available now. Organizations are advised to take action. They should limit the ability to create dMSAs. Permissions should be hardened wherever possible. Akamai has also released a PowerShell script. This script helps identify principals. It lists who can create dMSAs. It also shows organizational units (OUs) where permissions exist.
A High-Impact Vulnerability
This vulnerability introduces a new abuse path. It is previously unknown. It has a high impact. Any user with “CreateChild” permissions on an OU can compromise any domain user. They can gain similar power. This is comparable to the “Replicating Directory Changes” privilege. That privilege is used in DCSync attacks. Vigilance and proactive security measures are crucial.
More than 1.15 million power banks are currently under an urgent recall across the United States. This significant safety measure comes after multiple consumers reported incidents involving fires and explosions Read more
Tech industry giant Intel, headquartered in California, is reportedly preparing for a substantial reduction in its workforce. According to recent reports citing internal information and sources, the company plans to Read more
Quantum eMotion Corp. (QeM) has announced a significant leap forward in quantum security. The company has successfully completed and validated the design of its first-generation Quantum Random Number Generator (QRNG) Read more
This week, from May 24 to May 30, 2025, offers various opportunities for meteor observation. The Moon will enter its new phase on Tuesday, May 27th. This means it will Read more
The majestic emperor penguin population in a specific region of Antarctica appears to be declining at a rate faster than previously estimated. This concerning trend is revealed in a new Read more
Apple is significantly advancing in-car technology with the rollout of CarPlay Ultra, its most comprehensive vehicle integration to date. This evolution of the familiar CarPlay system moves beyond simply mirroring Read more