Akamai has issued a warning regarding a significant security vulnerability in Windows Server 2025’s Active Directory functionality, potentially allowing users to gain increased permissions. This issue has been dubbed “BadSuccessor” and is noted in a recent blog post by Akamai.
The vulnerability stems from a feature called “delegated Managed Service Account” (dMSA), introduced with Windows Server 2025. The default configuration of this feature is susceptible, and Akamai describes the exploitation method as straightforward.
Key Points of the Vulnerability
The analysis indicates substantial risk, with most organizations utilizing Active Directory impacted; specifically, 91% of environments examined by Akamai had non-domain admin user accounts capable of executing the attack. Microsoft is aware of the issue and is planning to rectify it, although a patch has yet to be released.
Due to the introduction of dMSAs, attackers may be able to take over any principal in a domain with these accounts if they possess the necessary permissions in one of the domain’s organizational units (OUs). Remarkably, it is not mandatory for dMSAs to be actively utilized in the domain; the mere presence of a Windows Server 2025 machine on a network is sufficient for exploitation.
Proposed Countermeasures
To mitigate this threat, Akamai recommends identifying all principals such as users, groups, and computers authorized to create dMSAs, and limiting this permission to trusted administrators only. Akamai has also provided a PowerShell script that identifies non-standard principals authorized to create dMSAs, yielding a list of the corresponding OUs.
As of now, the timeline for when Microsoft will issue a fix for this vulnerability remains uncertain.