A significant security flaw has emerged. It affects Windows Server 2025. This vulnerability allows privilege escalation. Attackers could compromise any user in Active Directory (AD). This is a critical concern for many organizations.
Understanding the dMSA Vulnerability
This attack exploits a new feature. It is called delegated Managed Service Account (dMSA). Microsoft introduced dMSA in Windows Server 2025. It was meant to help with Kerberoasting attacks. However, a flaw now exists. Security researchers at Akamai discovered it.
The vulnerability works with default settings. It is also “trivial to implement.” This makes it especially dangerous. Akamai named this attack technique BadSuccessor.
Widespread Impact on Organizations
This issue likely affects most organizations. Many companies rely on Active Directory. Akamai examined many environments. In 91% of them, users outside the domain admins group had permissions. These permissions were enough to perform this attack. This highlights a widespread risk.
How dMSA Functions and the Core Problem
dMSA allows users to create standalone accounts. It also lets them replace existing standard service accounts. When a dMSA supersedes an account, authentication via the old password is blocked. The request then goes to the Local Security Authority (LSA). LSA authenticates using dMSA. The dMSA gains access to everything the previous account could access in AD. During migration, dMSA learns device usage. It moves from all existing service accounts automatically.
The problem arises during the dMSA Kerberos authentication. The Privilege Attribute Certificate (PAC) is embedded. This happens in a ticket-granting ticket (TGT). This TGT is issued by a Key Distribution Center (KDC). The PAC includes the dMSA’s security identifier (SID). It also includes SIDs of the superseded account. All associated group SIDs are also present.
The BadSuccessor Attack Explained
This permissions transfer creates a risk. It opens the door to privilege escalation. Attackers can simulate the dMSA migration process. This allows them to compromise any user. Even domain administrators can be targeted. Attackers gain similar privileges. This effectively breaches the entire domain. This can happen even if an organization’s Windows Server 2025 domain does not use dMSAs.
The “simulated migration” technique is notable. It does not need any permissions over the superseded account. The only requirement is write permissions. These must be on the attributes of any dMSA. Once a dMSA is marked as “preceded by” a user, the KDC assumes a legitimate migration. It then grants the dMSA every permission. These are permissions the original user had. The dMSA becomes its “rightful successor.”
Microsoft’s Response and Mitigation
Akamai reported these findings to Microsoft. The report was submitted on April 1, 2025. Microsoft classified the issue as “moderate” in severity. They stated it did not meet the bar for immediate servicing. This is because successful exploitation needs specific permissions. An attacker needs permissions on the dMSA object. This suggests an elevation of privileges is involved.
However, a patch is currently being developed. There is no immediate fix available now. Organizations are advised to take action. They should limit the ability to create dMSAs. Permissions should be hardened wherever possible. Akamai has also released a PowerShell script. This script helps identify principals. It lists who can create dMSAs. It also shows organizational units (OUs) where permissions exist.
A High-Impact Vulnerability
This vulnerability introduces a new abuse path. It is previously unknown. It has a high impact. Any user with “CreateChild” permissions on an OU can compromise any domain user. They can gain similar power. This is comparable to the “Replicating Directory Changes” privilege. That privilege is used in DCSync attacks. Vigilance and proactive security measures are crucial.
A seemingly innocuous detail in a video broadcast from China's Tiangong space station ignited a surprising debate. The footage, part of a live-streamed science lesson, showcased a glass of clear Read more
Eligible Apple users in the United States who may have been impacted by alleged past issues concerning Siri privacy now have the opportunity to submit claims for a share of Read more
NASA's Jet Propulsion Laboratory (JPL) is actively monitoring three asteroids as they make close approaches to Earth. These space rocks are traveling at incredible speeds, ranging from approximately 8,000 to Read more
The world of content creation evolves rapidly, and panoramic video captured by a 360 camera has become an indispensable tool for creators, adventurers, and professionals alike. For years, Insta360 has Read more
Axiom Space's highly anticipated next astronaut launch, designated Ax-4, is back on the schedule, albeit with a new target date after a series of unexpected delays. This mission marks Read more
Many Americans nationwide are increasingly frustrated with escalating prices across various services. This trend has particularly impacted home internet bills. Numerous internet providers have substantially hiked their service fees, Read more