BadSuccessor Vulnerability in Windows Server 2025 Enables Domain Admin Privilege Escalation
Summary : A critical privilege escalation vulnerability, BadSuccessor, affects Windows Server 2025 through its Delegated Managed Service Account (dMSA) feature.
Akamai researchers have discovered a serious design vulnerability in Windows Server 2025 related to the use of delegated managed service accounts (dMSAs). This flaw allows an attacker with least privilege to escalate to domain administrator privileges without directly interacting with privileged accounts or modifying group memberships.
| OEM | Microsoft |
| Severity | Medium |
| CVSS Score | 6.5 |
| CVEs | N/A |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
First discovered by Yuval Gordon, a researcher at Akamai, the flaw allows attackers with minimal Active Directory (AD) permissions – specifically CreateChild rights on an Organizational Unit (OU) to escalate privileges to Domain Administrator.
The attack has been weaponized in a publicly available proof-of-concept tool called SharpSuccessor, developed by Logan Goins, with contributions from researchers Jim Sykora and Garrett Foster.
Microsoft has acknowledged vulnerability but classified it as moderate severity, and no patch is currently available.
| Vulnerability Name | CVE ID | Product Affected | Severity | Impact |
| BadSuccessor vulnerability | N/A | Windows Server 2025 | Medium | Privilege escalation |
Technical Summary
BadSuccessor exploits the design of Delegated Managed Service Accounts (dMSA), a feature introduced in Windows Server 2025 to facilitate the migration from legacy service accounts and mitigate Kerberoasting risks.
The flaw occurs during the dMSA migration process, where the attacker manipulates two AD attributes msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState to simulate the replacement of a privileged account.
Active Directory’s Key Distribution Center (KDC), when processing Kerberos Ticket Granting Tickets (TGTs), embeds both the attacker’s dMSA and the original account’s Security Identifiers (SIDs) into the Privilege Attribute Certificate (PAC).
This causes the attacker’s dMSA to inherit the permissions of the target user, effectively granting Domain Admin privileges without any need to compromise the original account.
Key Points:
- Requires only CreateChild permissions on an Organizational Unit (OU) a common delegation in AD environments.
- Exploitable even if dMSAs are not actively in use, as long as a Windows Server 2025 domain controller is present.
- 91% of environments analyzed by Akamai had non-admin users with enough permissions to launch the attack.
Example Exploitation Chain:
- Create a malicious dMSA:
SharpSuccessor.exe add /impersonate:Administrator /path:”ou=test,dc=lab,dc=lan” /account:jdoe /name:attacker_dMSA
Obtain a TGT using Rubeus:
Rubeus.exe tgtdeleg /nowrap
- Request a service ticket impersonating the high-privilege user:
Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/[DC_FQDN] /opsec /dmsa /nowrap /ptt /ticket:[Base64_TGT]
This grants the attacker full access to Domain Controllers, allowing for lateral movement and credential harvesting using legitimate Kerberos workflows.
Recommendations:
- Restrict dMSA Creation: Limit CreateChild permissions on Organizational Units (OUs) to trusted administrators only.
- Audit Permissions: Use Akamai’s PowerShell script to identify and revoke risky dMSA creation rights: Get-BadSuccessorOUPermissions.ps1
- Harden High-Privilege Accounts: Apply Authentication Policy Silos to isolate sensitive accounts.
- Monitor for Abuse: Watch for unusual Kerberos activity involving dMSA accounts.
- Apply Patch When Available: Microsoft is working on a fix apply it as soon as it’s released.
Conclusion:
BadSuccessor represents a serious flaw in the dMSA architecture of Windows Server 2025, enabling attackers to gain domain wide privileges using only commonly granted permissions.
While Microsoft’s classification of the issue as “moderate” is based on its technical complexity, the broad exposure and ease of exploitation via SharpSuccessor demand urgent action. Organizations must review Active Directory permissions and implement hardened access control policies immediately.
References: