FISA

  Akamai researchers have discovered a critical flaw in a new Windows Server 2025 feature that could allow attackers to compromise any Active Directory (AD) account—even with limited initial access. The exploit, dubbed BadSuccessor , leverages a misconfiguration risk in delegated Managed Service Accounts (dMSAs), opening the door to full domain compromise. A High-Impact Vulnerability Hidden in a New Feature The vulnerability, uncovered by Akamai researcher Yuval Gordon , targets delegated Managed Service Accounts (dMSAs) —a new Windows Server 2025 feature designed to simplify service account management. The idea is straightforward: when replacing a service account, the new dMSA can inherit permissions from the older one it supersedes. However, Akamai’s research reveals a critical flaw in this inheritance process. With only minimal privileges—such as the ability to create or modify a dMSA object—an attacker can manipulate two specific attributes: **msDS-ManagedAccountPrecededB...