Cyber Alert: Critical Active Directory Privilege Escalation Vulnerability “BadSuccessor” in Windows Server 2025

Akamai researchers have detected a serious privilege escalation vulnerability in Windows Server 2025, dubbed “BadSuccessor.” This issue takes advantage of a newly introduced feature known as delegated Managed Service Accounts (dMSAs), enabling attackers to impersonate any Active Directory (AD) user, including domain administrators, without altering existing account configurations or group memberships.

Key Details

• Vulnerable Feature: The problem lies within Delegated Managed Service Accounts (dMSAs) in Windows Server 2025.
• Method of Attack: An attacker can create a dMSA and assign specific attributes, allowing them to mimic a migration from an existing user account. Subsequently, the Key Distribution Center (KDC) grants the dMSA the same privileges as the targeted account, facilitating complete impersonation.
• Widespread Issue: In 91% of assessed environments, non-administrative users had the necessary permissions to exploit this vulnerability.
• Microsoft’s Standpoint: Microsoft has acknowledged the vulnerability but categorized it as “moderate” in severity, stating it does not warrant an immediate patch.

Impacts

If exploited, the BadSuccessor vulnerability can lead to domain compromise, allowing attackers to:

• Access sensitive data across the network.
• Gain privileged access to critical systems and endpoints.
• Move laterally within the network without detection.

This attack is particularly concerning as it does not require any interaction with the targeted accounts, rendering it stealthy.

Recommendations

To mitigate risks until a formal patch is made available, organizations should consider the following actions:

1. Audit Permissions: Restrict users with CreateChild permissions on Organizational Units (OUs) to prevent dMSA creation.
2. Monitor dMSA Creation: Set up monitoring for dMSA creation and attribute changes. Enable the “Audit Directory Service Changes” logging policy for relevant events.
3. Detection Tools Usage: Employ Akamai’s PowerShell script Get-BadSuccessorOUPermissions.ps1 to identify who has permission to create dMSAs and which OUs are affected.
4. Limit dMSA Deployment: Only use dMSAs when necessary and ensure they are managed by trusted personnel.
5. Stay Updated: Keep track of Microsoft’s updates regarding patches or guidance on handling this vulnerability.

Conclusion

The BadSuccessor vulnerability sheds light on the risks that can arise from new features in systems like Active Directory. Organizations must conduct a thorough assessment to address their exposure while implementing technical safeguards. It’s vital to revisit how permissions, account creation, and directory monitoring are managed within the organization.

For those unsure about their vulnerability to BadSuccessor or similar threats, now is an opportune moment to investigate their systems closely.

References:

1. Akamai Security Research: Abusing dMSA for Privilege Escalation in Active Directory
2. Ori David’s LinkedIn Post: BadSuccessor Attack