Critical Flaw in Windows Server 2025 Allows Full AD Compromise via BadSuccessor

-

 Akamai researchers have discovered a critical flaw in a new Windows Server 2025 feature that could allow attackers to compromise any Active Directory (AD) account—even with limited initial access. The exploit, dubbed BadSuccessor, leverages a misconfiguration risk in delegated Managed Service Accounts (dMSAs), opening the door to full domain compromise.


A High-Impact Vulnerability Hidden in a New Feature

The vulnerability, uncovered by Akamai researcher Yuval Gordon, targets delegated Managed Service Accounts (dMSAs)—a new Windows Server 2025 feature designed to simplify service account management. The idea is straightforward: when replacing a service account, the new dMSA can inherit permissions from the older one it supersedes.

However, Akamai’s research reveals a critical flaw in this inheritance process. With only minimal privileges—such as the ability to create or modify a dMSA object—an attacker can manipulate two specific attributes:

  • **msDS-ManagedAccountPrecededByLink**

  • **msDS-DelegatedMSAState**

By setting msDS-ManagedAccountPrecededByLink to reference any target user (even a Domain Admin) and marking msDS-DelegatedMSAState as 2 (indicating a completed migration), the attacker tricks the system into granting the new dMSA all the permissions of the targeted account.

Why It Matters: Full AD Takeover, Minimal Effort

This attack doesn’t require any direct access to the victim account itself. Instead, it abuses trust in the migration logic to silently escalate privileges. The implications are massive:

  • Complete control over any AD user, including Domain Admins

  • Ability to impersonate, manipulate, or exfiltrate data under any identity

  • Access levels equivalent to DCSync attacks—without requiring replication permissions

According to Akamai’s internal testing, 91% of real-world AD environments already grant users the necessary permissions to carry out this attack.

No Patch Available—Yet

Microsoft was notified of the vulnerability on April 1, 2025, but as of this writing, no official patch exists. Microsoft currently categorizes the issue as Moderate severity, noting that some level of privilege is needed to exploit it.

However, Akamai researchers strongly disagree with the assessment, emphasizing that the CreateChild permission on an Organizational Unit—commonly granted to standard operators—is enough to perform the attack. This places many organizations at serious risk, particularly those who may not yet understand the implications of this new dMSA feature.

“This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain.” — Akamai Research Team

What Organizations Should Do Now

Until a patch is released, Akamai urges organizations to take proactive defense measures, including:

  • Audit and monitor dMSA object creation and attribute changes

  • Restrict CreateChild permissions on OUs containing sensitive users

  • Regularly review ACLs on critical OUs and dMSA objects

  • Train AD administrators on the risks of dMSA abuse

  • Implement stricter privilege delegation and role-based access controls

Final Thoughts

The BadSuccessor vulnerability is a clear example of how new features—while designed for efficiency—can introduce dangerous attack surfaces when not thoroughly secured. As Windows Server 2025 adoption increases, so too does the need to fully understand the security implications of its evolving architecture.

Until Microsoft releases an official fix, visibility, permission hardening, and threat detection are your best defense against this silent and severe privilege escalation vector.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more