A significant security flaw has emerged. It affects Windows Server 2025. This vulnerability allows privilege escalation. Attackers could compromise any user in Active Directory (AD). This is a critical concern for many organizations.
Understanding the dMSA Vulnerability
This attack exploits a new feature. It is called delegated Managed Service Account (dMSA). Microsoft introduced dMSA in Windows Server 2025. It was meant to help with Kerberoasting attacks. However, a flaw now exists. Security researchers at Akamai discovered it.
The vulnerability works with default settings. It is also “trivial to implement.” This makes it especially dangerous. Akamai named this attack technique BadSuccessor.
Widespread Impact on Organizations
This issue likely affects most organizations. Many companies rely on Active Directory. Akamai examined many environments. In 91% of them, users outside the domain admins group had permissions. These permissions were enough to perform this attack. This highlights a widespread risk.
How dMSA Functions and the Core Problem
dMSA allows users to create standalone accounts. It also lets them replace existing standard service accounts. When a dMSA supersedes an account, authentication via the old password is blocked. The request then goes to the Local Security Authority (LSA). LSA authenticates using dMSA. The dMSA gains access to everything the previous account could access in AD. During migration, dMSA learns device usage. It moves from all existing service accounts automatically.
The problem arises during the dMSA Kerberos authentication. The Privilege Attribute Certificate (PAC) is embedded. This happens in a ticket-granting ticket (TGT). This TGT is issued by a Key Distribution Center (KDC). The PAC includes the dMSA’s security identifier (SID). It also includes SIDs of the superseded account. All associated group SIDs are also present.
The BadSuccessor Attack Explained
This permissions transfer creates a risk. It opens the door to privilege escalation. Attackers can simulate the dMSA migration process. This allows them to compromise any user. Even domain administrators can be targeted. Attackers gain similar privileges. This effectively breaches the entire domain. This can happen even if an organization’s Windows Server 2025 domain does not use dMSAs.
The “simulated migration” technique is notable. It does not need any permissions over the superseded account. The only requirement is write permissions. These must be on the attributes of any dMSA. Once a dMSA is marked as “preceded by” a user, the KDC assumes a legitimate migration. It then grants the dMSA every permission. These are permissions the original user had. The dMSA becomes its “rightful successor.”
Microsoft’s Response and Mitigation
Akamai reported these findings to Microsoft. The report was submitted on April 1, 2025. Microsoft classified the issue as “moderate” in severity. They stated it did not meet the bar for immediate servicing. This is because successful exploitation needs specific permissions. An attacker needs permissions on the dMSA object. This suggests an elevation of privileges is involved.
However, a patch is currently being developed. There is no immediate fix available now. Organizations are advised to take action. They should limit the ability to create dMSAs. Permissions should be hardened wherever possible. Akamai has also released a PowerShell script. This script helps identify principals. It lists who can create dMSAs. It also shows organizational units (OUs) where permissions exist.
A High-Impact Vulnerability
This vulnerability introduces a new abuse path. It is previously unknown. It has a high impact. Any user with “CreateChild” permissions on an OU can compromise any domain user. They can gain similar power. This is comparable to the “Replicating Directory Changes” privilege. That privilege is used in DCSync attacks. Vigilance and proactive security measures are crucial.
The enigmatic surface of Mars continues to yield captivating discoveries, each providing a new piece of the puzzle regarding the Red Planet's deep past. In a significant breakthrough, NASA's Read more
Approximately 300 miles off the picturesque coast of Oregon, a massive submarine volcano known as Axial Seamount is exhibiting compelling signs that it is poised for an eruption—its first since Read more
In a rare and surprising turn of events, Google's unreleased Pixel 10 Pro smartphone has been publicly spotted. This early sighting occurred not through traditional leaks or official announcements, but Read more
Imagine your office view changing from a cubicle wall to a sandy beach in Thailand, a bustling cafe in Lisbon, or a mountain retreat in Colombia. This dream is the Read more
A significant ocean expedition is now underway in the Pacific island nation of Tuvalu, led by National Geographic Pristine Seas. Ocean Expedition Studies Tuvalu Marine Life Read more
Madrid-based fintech company, TaxDown, has successfully raised €4 million in a recent funding round led by Bonsai Partners. This capital infusion will fuel the company's strategic initiatives to enhance its Read more