BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any Active Directory user. Learn about the BadSuccessor attack and mitigation steps.

A significant security flaw has been uncovered in Windows Server 2025, posing a serious threat to organizations utilizing Active Directory (AD). Discovered by Akamai researcher Yuval Gordon, this privilege escalation vulnerability could allow malicious actors to gain full control over any user account within an organization’s AD, even with minimal initial access.

****The BadSuccessor Attack Explained****

According to Akamai’s research, shared exclusively with Hackread.com, the vulnerability exploits a new feature introduced in Windows Server 2025 called delegated Managed Service Accounts (dMSAs). For your information, dMSAs are designed to streamline the management of service accounts by allowing a new dMSA to inherit permissions from an older account it replaces.

However, Gordon’s research revealed a critical oversight in this process. Attackers can simulate this migration by simply modifying two attributes on a dMSA object: msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState. By setting the first attribute to reference a target user and the second to “2” (indicating migration completion), an attacker can trick the system into believing a legitimate migration occurred.

This deceptive act, dubbed BadSuccessor by the researchers, allows the attacker’s dMSA to automatically gain all the permissions of the targeted user, including highly privileged accounts like Domain Admins. Crucially, this attack doesn’t require any direct permissions on the targeted user’s account itself, only the ability to create or control a dMSA.

****Widespread Impact and No Immediate Patch****

The implications of this discovery are far-reaching. Akamai’s analysis revealed that in 91% of tested environments, users outside the domain admins group already possessed the necessary permissions to execute this attack. This highlights the widespread potential for compromise across organizations that rely on Active Directory.

Even more concerning, Microsoft has acknowledged the issue after a report on April 1, 2025, but currently has no patch available. While Microsoft has assessed the vulnerability as Moderate severity, citing that initial exploitation requires existing permissions on a dMSA object, Akamai researchers strongly disagree.

They emphasize that the ability to create a new dMSA, a benign permission often granted to users, can lead to full domain compromise. They compare its impact to highly critical attacks like DCSync.

“This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks,” researchers wrote in the blog post.

****Proactive Measures and Ongoing Risks****

With no immediate fix from Microsoft, organizations are urged to take proactive steps to reduce their exposure. Key recommendations include monitoring for new dMSA objects, modifying the msDS-ManagedAccountPrecededByLink attribute, tracking dMSA authentication events, and reviewing permissions on Organizational Units (OUs).

As Windows Server 2025 becomes more widely adopted, organizations must prioritize understanding and mitigating the risks associated with its new features.