Full Report
A privilege escalation flaw has been demonstrated in Windows Server 2025 that makes it possible for attackers to compromise any user in Active Directory (AD). "The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement," Akamai security researcher Yuval Gordon said in a
Analysis Summary
# Vulnerability: Privilege Escalation via Delegated Managed Service Account (dMSA) Misuse (BadSuccessor)
## CVE Details
- CVE ID: Not explicitly provided in the context (Article dated May 22, 2025, reporting on a recent discovery).
- CVSS Score: Not provided, but Microsoft classified severity as **Moderate**.
- CWE: Likely related to improper access control or authorization logic during privilege transfer/token creation.
## Affected Systems
- Products: Windows Server 2025 (Focusing on Active Directory features).
- Versions: Windows Server 2025 environments utilizing the Delegated Managed Service Account (dMSA) feature.
- Configurations: The attack works with the default configuration of dMSA. Exploitation is possible even if dMSAs are not actively being used, provided an attacker can locate and manipulate an existing dMSA object attribute.
## Vulnerability Description
The vulnerability, codenamed **BadSuccessor**, exploits the Kerberos authentication phase during the creation or simulation of a Delegated Managed Service Account (dMSA) in Active Directory (AD) on Windows Server 2025.
When a dMSA supersedes a legacy service account, the resulting Privilege Attribute Certificate (PAC) embeds the SID of the dMSA and the SIDs of the superseded account and its groups. The flaw allows an attacker who possesses **write permissions** over the attributes of *any* dMSA object to mark that dMSA as having superseded a target user account without requiring any permissions over the target account itself.
By manipulating the 'predecessor' attribute on a dMSA, the Key Distribution Center (KDC) is tricked into issuing a ticket for the dMSA that includes the permissions of the targeted user account due to the way the PAC is constructed during this simulated migration. This can lead to the attacker gaining equivalent privileges to high-value targets, including Domain Administrators.
## Exploitation
- Status: Proof of Concept (PoC) available.
- Complexity: **Low** ("trivial to implement" according to the researcher).
- Attack Vector: **Adjacent** or **Network** (Requires write privileges on a dMSA object, which attackers can often achieve if standard users have CreateChild permissions on relevant Organizational Units (OUs)).
## Impact
- Confidentiality: High (Access to data/systems the compromised user can access).
- Integrity: High (Ability to modify domain data/configurations).
- Availability: High (Potential for broad domain disruption).
## Remediation
### Patches
- Vendor acknowledgement indicates a patch is currently in development. (Specific patch version not yet available).
### Workarounds
1. **Harden Permissions:** Restrict the ability for non-administrative users to create or modify dMSA objects, specifically targeting write permissions on dMSA attributes within OUs.
2. **Audit dMSA Creation Permissions:** Immediately identify and limit which non-default principals have permission to create dMSAs. Akamai has released a PowerShell script to enumerate principals with these rights.
## Detection
- **Indicators of Compromise (IoCs):** Unauthorized modification of the 'predecessor' attribute on dMSA objects within Active Directory. Unusual Kerberos requests or PAC generation patterns appearing to simulate service account migration.
- **Detection Methods and Tools:** Monitor AD object changes, specifically focusing on the attributes of dMSA objects. Use the provided enumeration script to baseline current permission configurations related to dMSA creation rights.
## References
- Vendor Advisories: Microsoft classified the issue as moderate severity.
- Relevant Links:
- Akamai Research Blog: hxxps://www[.]akamai[.]com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
- Akamai PoC Repository: hxxps://github[.]com/akamai/BadSuccessor