Critical Windows Server 2025 Security Flaw: “BadSuccessor” Threatens Active Directory, Experts Disagree on Severity
A critical vulnerability in Windows Server 2025, dubbed "BadSuccessor," is raising alarms among cybersecurity researchers. The flaw allows attackers to escalate privileges and potentially compromise any user in Active Directory (AD). While Microsoft acknowledges the issue, security experts at Akamai strongly disagree with the company's assessment of its severity.
The vulnerability stems from the delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025. This feature was designed to simplify the migration of legacy service accounts, but researchers at Akamai discovered a critical flaw in how permissions are handled during this process.
Akamai security researcher Yuval Gordon explained, "The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement. This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack."
The "BadSuccessor" technique allows an attacker with limited permissions to simulate a dMSA migration and gain the privileges of any user, including domain administrators. This could grant them access to sensitive information, critical systems, and the ability to move laterally within the network, potentially leading to data theft or ransomware deployment.
"One interesting fact about this 'simulated migration' technique is that it doesn't require any permissions over the superseded account," Gordon stated. "The only requirement is to write permissions over the attributes of a dMSA. Any dMSA."
Akamai reported the flaw to Microsoft on April 1, 2025. While Microsoft is working on a patch, the company classified the issue as moderate in severity and does not meet the bar for immediate servicing due to the fact that successful exploitation requires an attacker to have specific permissions on the dMSA object, which suggests an elevation of privileges. However, a patch is currently in the works. This disagreement over the severity of the vulnerability has led to public criticism, with some researchers questioning Microsoft's response.
In response, Akamai has released a PowerShell script to help organizations identify potential vulnerabilities and is recommending limiting the ability to create dMSAs and tightening permissions wherever possible. Gordon emphasized that the flaw "introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks”.
In the absence of an official patch, organizations are urged to take proactive measures to assess their risk and implement mitigation strategies. This includes auditing dMSA creation, monitoring attribute configurations, tracking authentication, and reviewing permissions. Failure to do so could leave critical systems vulnerable to attack.
What are your thoughts on the severity of this flaw? Should Microsoft have prioritized a faster patch? Share your opinions and concerns in the comments below.
