Unpatched Windows Server vulnerability allows full domain compromise
A privilege escalation vulnerability in Windows Server 2025 can be used by attackers to compromise any user in Active Directory (AD), including Domain Admins.
“The [“BadSuccessor”] attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement,” Akamai researcher Yuval Gordon warned.
BadSuccessor attack technique explained
The exploitable feature was introduced to help organizations replace the legacy non-managed service accounts used by applications and systems with more secure delegated Managed Service Accounts.
The migration process couples a legacy account and a dMSA and makes the latter seamlessly inherit its permissions but Akamai researchers discovered that this automatic inheritance of privileges hinges on just one attribute, which the Key Distribution Center relies on to determine which legacy account the dMSA is replacing.
With that info in mind, they explored several attack avenues.
They first tried to migrate permissions of a user account they had control of to a new dMSA they created and authententicate as that user, but failed because only Domain Admins can perform the migrateADServiceAccount rootDSE operation.
Then they tried setting an attribute on the dMSA object to link it to the superseding account and a value that indicates that the migration has been completed, and it worked!
To do that, they first had to create a new dMSA, and they discovered that the ability to create new dMSAs is not reserved for privileged Active Directory groups: any user that has the Create msDS-DelegatedManagedServiceAccount or “Create all child objects” permissions on any organizational unit in the domain can generate them.
So, they found an organizational unit with an unprivileged users with “Create all child objects” permissions and used them to create a new dMSA. Then they set the msDS-ManagedAccountPrecededByLink attribute to link any user or computer account to the dMSA and set the “migration complete” value, and voilà: The created dMSA “inherited” the permissions of the superseded account, without them having to have permissions over that specific account.
Finally, they used the Rubeus tool to request a Ticket Granting Ticket from the Key Distribution Center (KDC), which allowed them to request access tokens from its Ticket Granting Service (TGS).
“With just two attribute changes, a humble new object is crowned the successor — and the KDC never questions the bloodline; if the link is there, the privileges are granted. We didn’t change a single group membership, didn’t elevate any existing account, and didn’t trip any traditional privilege escalation alerts,” Gordon noted.
This technique effectively allows any user who controls a dMSA object to achieve control over the entire domain.
What to do until a patch is made available?
“This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack,” Gordon noted, and added that the dMSA feature can be abused even if the organization’s domain doesn’t use it.
“As long as the [dMSA] feature exists, which it does in any domain with at least one Windows Server 2025 domain controller (DC), it becomes available [to attackers].”
The researchers have informed Microsoft of their discovery and the company is working on a fix, but in the meantime, organizations are advised to limit the permission to create dMSAs to trusted administrators only. (Akamai has published a script organizations can used identify principals that should ‘lose” that permission.)
Enterprise defenders should also start logging and aditing dMSA creation events, monitoring attribute modifications, and tracking dMSA authentication events, the researchers advised.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!