A newly discovered privilege escalation vulnerability in Windows Server 2025 poses a significant threat to organizations utilizing Active Directory (AD). This vulnerability, dubbed the “BadSuccessor” attack, allows attackers to compromise any user within AD, including those with Domain Admin privileges. Akamai researcher Yuval Gordon has raised alarms about the ease with which this exploit can be executed, emphasizing that it operates effectively under the default configurations of the server.
BadSuccessor attack technique explained
The vulnerability arises from the delegated Managed Service Account (dMSA) feature, designed to enhance security by replacing legacy non-managed service accounts with more secure options. However, the migration process, which allows a dMSA to inherit permissions from a legacy account, relies on a single attribute that the Key Distribution Center (KDC) uses to identify the legacy account being replaced.
Researchers at Akamai explored various methods to exploit this feature. Initially, they attempted to migrate permissions from a controlled user account to a newly created dMSA but encountered a roadblock, as only Domain Admins have the authority to perform the migrateADServiceAccount rootDSE operation. Undeterred, they shifted their strategy to modifying an attribute on the dMSA object to establish a link to the superseding account, successfully completing the migration.
To execute this, they created a new dMSA and discovered that the ability to do so is not restricted to privileged Active Directory groups. Any user with the Create msDS-DelegatedManagedServiceAccount or “Create all child objects” permissions can generate new dMSAs. By identifying an organizational unit with unprivileged users possessing the necessary permissions, they created a dMSA and linked it to any user or computer account, marking the migration as complete. This clever maneuver allowed the dMSA to inherit permissions from the original account without requiring direct access to it.
Subsequently, they utilized the Rubeus tool to request a Ticket Granting Ticket from the KDC, enabling them to obtain access tokens from the Ticket Granting Service (TGS). Gordon pointed out that with just two attribute changes, a new dMSA can effectively become a privileged successor, with the KDC granting permissions without questioning the legitimacy of the link established. Remarkably, this method does not alter any group memberships, elevate existing accounts, or trigger traditional privilege escalation alerts, thus allowing any user controlling a dMSA object to gain dominion over the entire domain.
What to do until a patch is made available?
The implications of this vulnerability are profound, as it is likely to affect a vast majority of organizations relying on AD. In their analysis, Akamai found that 91% of the environments examined had users outside the Domain Admin group with the necessary permissions to execute this attack. Furthermore, the dMSA feature can be exploited even in domains that do not actively utilize it, as its presence in any domain with at least one Windows Server 2025 domain controller makes it accessible to potential attackers.
In response to this critical discovery, Microsoft has been notified and is currently working on a patch. In the interim, organizations are urged to restrict the ability to create dMSAs to trusted administrators only. Akamai has also provided a script to help organizations identify which principals should have their permissions revoked.
Enterprise defenders are advised to enhance their security posture by logging and auditing dMSA creation events, monitoring modifications to attributes, and tracking dMSA authentication events to mitigate the risks associated with this vulnerability.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
