A significant security flaw has emerged. It affects Windows Server 2025. This vulnerability allows privilege escalation. Attackers could compromise any user in Active Directory (AD). This is a critical concern for many organizations.
Understanding the dMSA Vulnerability
This attack exploits a new feature. It is called delegated Managed Service Account (dMSA). Microsoft introduced dMSA in Windows Server 2025. It was meant to help with Kerberoasting attacks. However, a flaw now exists. Security researchers at Akamai discovered it.
The vulnerability works with default settings. It is also “trivial to implement.” This makes it especially dangerous. Akamai named this attack technique BadSuccessor.
Widespread Impact on Organizations
This issue likely affects most organizations. Many companies rely on Active Directory. Akamai examined many environments. In 91% of them, users outside the domain admins group had permissions. These permissions were enough to perform this attack. This highlights a widespread risk.
How dMSA Functions and the Core Problem
dMSA allows users to create standalone accounts. It also lets them replace existing standard service accounts. When a dMSA supersedes an account, authentication via the old password is blocked. The request then goes to the Local Security Authority (LSA). LSA authenticates using dMSA. The dMSA gains access to everything the previous account could access in AD. During migration, dMSA learns device usage. It moves from all existing service accounts automatically.
The problem arises during the dMSA Kerberos authentication. The Privilege Attribute Certificate (PAC) is embedded. This happens in a ticket-granting ticket (TGT). This TGT is issued by a Key Distribution Center (KDC). The PAC includes the dMSA’s security identifier (SID). It also includes SIDs of the superseded account. All associated group SIDs are also present.
The BadSuccessor Attack Explained
This permissions transfer creates a risk. It opens the door to privilege escalation. Attackers can simulate the dMSA migration process. This allows them to compromise any user. Even domain administrators can be targeted. Attackers gain similar privileges. This effectively breaches the entire domain. This can happen even if an organization’s Windows Server 2025 domain does not use dMSAs.
The “simulated migration” technique is notable. It does not need any permissions over the superseded account. The only requirement is write permissions. These must be on the attributes of any dMSA. Once a dMSA is marked as “preceded by” a user, the KDC assumes a legitimate migration. It then grants the dMSA every permission. These are permissions the original user had. The dMSA becomes its “rightful successor.”
Microsoft’s Response and Mitigation
Akamai reported these findings to Microsoft. The report was submitted on April 1, 2025. Microsoft classified the issue as “moderate” in severity. They stated it did not meet the bar for immediate servicing. This is because successful exploitation needs specific permissions. An attacker needs permissions on the dMSA object. This suggests an elevation of privileges is involved.
However, a patch is currently being developed. There is no immediate fix available now. Organizations are advised to take action. They should limit the ability to create dMSAs. Permissions should be hardened wherever possible. Akamai has also released a PowerShell script. This script helps identify principals. It lists who can create dMSAs. It also shows organizational units (OUs) where permissions exist.
A High-Impact Vulnerability
This vulnerability introduces a new abuse path. It is previously unknown. It has a high impact. Any user with “CreateChild” permissions on an OU can compromise any domain user. They can gain similar power. This is comparable to the “Replicating Directory Changes” privilege. That privilege is used in DCSync attacks. Vigilance and proactive security measures are crucial.
The audacious endeavor of bringing extinct species back to life has taken a significant leap forward. Colossal Biosciences, a pioneering company at the forefront of de-extinction efforts, recently shared a Read more
SpaceX successfully launched its latest batch of Starlink satellites early Tuesday morning, June 3, 2025. This mission, designated Starlink 12-19, lifted off from Space Launch Complex 40 (SLC-40) at Cape Read more
A seemingly innocuous detail in a video broadcast from China's Tiangong space station ignited a surprising debate. The footage, part of a live-streamed science lesson, showcased a glass of clear Read more
A significant ocean expedition is now underway in the Pacific island nation of Tuvalu, led by National Geographic Pristine Seas. Ocean Expedition Studies Tuvalu Marine Life Read more
Fujifilm is set to redefine compact digital photography. The company today announced the global launch of its new "X half" (FUJIFILM X-HF1) camera. This innovative device, part of the acclaimed Read more
The vast and mysterious depths of the Atlantic Ocean continue to reveal incredible marine life, and recently, researchers have been tracking a truly remarkable specimen. The largest great white Read more