A privilege escalation flaw has been demonstrated in Windows Server 2025 that makes it possible for attackers to compromise any user in Active Directory (AD).
“The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement,” Akamai security researcher Yuval Gordon said in a report shared with The Hacker News.
“This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack.”
What makes the attack pathway notable is that it leverages a new feature called Delegated Managed Service Accounts (dMSA) that allows migration from an existing legacy service account. It was introduced in Windows Server 2025 as a mitigation to Kerberoasting attacks.
The attack technique has been codenamed BadSuccessor by the web infrastructure and security company.
“dMSA allows users to create them as a standalone account, or to replace an existing standard service account,” Microsoft notes in its documentation. “When a dMSA supersedes an existing account, authentication to that existing account using its password is blocked.”
“The request is redirected to the Local Security Authority (LSA) to authenticate using dMSA, which has access to everything the previous account could access in AD. During migration, dMSA automatically learns the devices on which the service account is to be used which is then used to move from all existing service accounts.”
The problem identified by Akamai is that during the dMSA Kerberos authentication phase, the Privilege Attribute Certificate (PAC) embedded into a ticket-granting ticket (i.e., credentials used to verify identity) issued by a key distribution center (KDC) includes both the dMSAs security identifier (SID) as well as the SIDs of the superseded service account and of all its associated groups.
This permissions transfer between accounts could open the door to a potential privilege escalation scenario by simulating the dMSA migration process to compromise any user, including domain administrators, and gain similar privileges, effectively breaching the entire domain even if an organization’s Windows Server 2025 domain isn’t using dMSAs at all.
“One interesting fact about this ‘simulated migration’ technique, is that it doesn’t require any permissions over the superseded account,” Gordon said. “The only requirement is to write permissions over the attributes of a dMSA. Any dMSA.”
“Once we’ve marked a dMSA as preceded by a user, the KDC automatically assumes a legitimate migration took place and happily grants our dMSA every single permission that the original user had, as though we are its rightful successor.”
Akamai said it reported the findings to Microsoft on April 1, 2025, following which the tech giant classified the issue as moderate in severity and that it does not meet the bar for immediate servicing due to the fact that successful exploitation requires an attacker to have specific permissions on the dMSA object, which suggests an elevation of privileges. However, a patch is currently in the works.
Given that there is no immediate fix for the attack, organizations are advised to limit the ability to create dMSAs and harden permissions wherever possible. Akamai has also released a PowerShell script that can enumerate all non-default principals who can create dMSAs and list the organizational units (OUs) in which each principal has this permission.
“This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks,” Gordon said.
About The Author
Original post here
