An unpatched vulnerability in Windows Server 2025, identified by Akamai researchers, poses a significant risk to cybersecurity, particularly through a method dubbed “BadSuccessor.” This flaw, described as “trivial” to exploit and present in the default configuration, serves as a gateway to privilege escalation and potential full domain compromise.
Understanding the Vulnerability
The issue arises from a new account type introduced by Microsoft known as delegated managed service accounts (dMSA). This account type was designed to facilitate the migration of legacy service accounts to more secure machine accounts. However, the rapid proliferation of machine identities—often inadequately secured and excessively privileged—has created new challenges for cybersecurity professionals.
Microsoft’s intention with dMSA was to mitigate the risk of hackers harvesting Active Directory credentials through compromised accounts. The authentication for dMSA is tied to device identity, ensuring that only specified machine identities mapped in Active Directory can access the account. Yet, a critical aspect of dMSA is its ability to inherit permissions from the legacy accounts they replace, a feature that has caught the attention of malicious actors.
Yuval Gordon, an Akamai researcher, elaborated on this exploitation technique in a recent blog post, emphasizing that the method hinges on how Windows manages dMSA migrations. The vulnerability allows an attacker who controls a dMSA object to simulate a migration, effectively instructing the key distribution center that a new account is superseding a legacy account. This results in the attacker receiving the permissions and encryption keys of the legacy account without any actual migration, verification, or oversight required.
Mechanics of the Attack
The key distribution center relies on a single attribute, msDA-ManagedAccountPrecededByLink, to ascertain which account the dMSA is intended to replace. When a dMSA authenticates, the privilege attribute certificate is constructed solely based on this link. To initiate a BadSuccessor attack, an intruder would need to possess permissions within an Active Directory organizational unit, indicating that a prior breach would have occurred. However, the stealthy nature of this method allows attackers to gain elevated privileges without raising alarms typically associated with traditional privilege escalation.
Gordon noted that his interest in dMSAs stemmed from their design to inherit permissions, describing it as an “inherently powerful operation.” Akamai reported the BadSuccessor vulnerability to Microsoft on April 1, but the company assessed the exploit’s severity as “moderate,” a classification that Akamai argues underestimates its potential impact. Gordon stated, “Once an attacker has the right permissions, they can set up a dMSA in just a few PowerShell commands,” further adding that built-in tools like Task Scheduler could be leveraged for exploitation without the need for custom binaries.
Recommendations for Organizations
In light of these findings, Akamai advises organizations to restrict the ability to create dMSAs, thereby reducing the risk associated with this vulnerability. As the landscape of cybersecurity continues to evolve, vigilance and proactive measures are essential in safeguarding sensitive information and maintaining the integrity of Active Directory environments.
