CinchOps Windows Server 2025 Security Advisory: BadSuccessor Threatens Active Directory Accounts

 Description of the Vulnerability

A critical privilege escalation vulnerability dubbed “BadSuccessor” has been discovered in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD), including domain administrators. The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.

The vulnerability stems from a flaw in how Windows Server 2025 handles the dMSA migration process. Delegated Managed Service Accounts were introduced as a mitigation to Kerberoasting attacks, allowing organizations to replace legacy service accounts with more secure machine accounts that have managed and fully randomized keys. However, the implementation contains a critical weakness in its permission inheritance mechanism.

The automatic inheritance of privileges hinges on just one attribute, which the Key Distribution Center relies on to determine which legacy account the dMSA is replacing. By manipulating two specific attributes – msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState – attackers can trick the system into believing a legitimate migration has occurred, even when it hasn’t.

 Severity of the Issue

This vulnerability represents a critical security threat to organizations running Windows Server 2025. In 91% of the environments examined by researchers, users outside the domain admins group had the required permissions to perform this attack. The widespread nature of this vulnerability makes it particularly dangerous.

The vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an organizational unit to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks.

Despite the serious implications, there’s a significant disagreement about severity. Microsoft assessed it as a “moderate severity” vulnerability that “does not currently meet the threshold for immediate servicing,” while Akamai researchers respectfully disagree with this assessment.

 How It Is Exploited

The BadSuccessor attack is remarkably simple to execute, requiring minimal technical expertise. Attackers first need to find an organizational unit with unprivileged users who have “Create all child objects” permissions and use them to create a new dMSA. Then they set the msDS-ManagedAccountPrecededByLink attribute to link any user or computer account to the dMSA and set the “migration complete” value.

With just two attribute changes, a humble new object is crowned the successor — and the KDC never questions the bloodline; if the link is there, the privileges are granted. Attackers don’t change a single group membership, don’t elevate any existing account, and don’t trip any traditional privilege escalation alerts.

The attack process involves:

1. Creating a new dMSA in an organizational unit where the attacker has CreateChild permissions
2. Setting the msDS-ManagedAccountPrecededByLink attribute to point to a high-value target (like a Domain Admin)
3. Setting the msDS-DelegatedMSAState attribute to “2” (indicating migration completion)
4. Using tools like Rubeus to request authentication tickets that inherit all privileges of the target account

Even more concerning, researchers discovered the attack can also extract encryption keys from target accounts, allowing attackers to authenticate directly as those users.

(Full attack flow, showing all steps needed to have a BadSuccessor – Source: Akamai)

 Who Discovered the Exploit

Akamai researcher Yuval Gordon discovered this vulnerability and reported it to Microsoft via MSRC on April 1, 2025. The vulnerability exists due to a design flaw in Microsoft’s implementation of the dMSA feature, rather than being the result of malicious actors.

The root cause lies in Microsoft’s attempt to create a seamless migration path from legacy service accounts to more secure managed accounts. While the intention was to improve security by mitigating Kerberoasting attacks, the implementation inadvertently created a new attack vector that’s even more dangerous than the threats it was designed to prevent.

 Who Is at Risk

This issue likely affects most organizations that rely on AD, as the dMSA feature exists in any domain with at least one Windows Server 2025 domain controller. Organizations are at risk even if they haven’t actively implemented dMSAs, since the feature is enabled by default.

Particularly vulnerable are:

• Organizations that have upgraded to or added Windows Server 2025 domain controllers
• Enterprises with users who have CreateChild permissions on organizational units
• Companies with legacy service accounts that haven’t been properly secured
• Any Active Directory environment where users have permissions to create objects in organizational units

 Remediation Measures

Since no official patch is currently available, organizations must implement immediate defensive measures:

Immediate Actions:

• Limit the ability to create dMSAs to trusted administrators only
• Identify all principals with permissions to create dMSAs across the domain
• Remove CreateChild permissions from users who don’t require them for legitimate business purposes
• Implement monitoring for dMSA creation events (Event ID 5137)

Monitoring and Detection:

• Configure System Access Control Lists (SACLs) to log creation of new msDS-DelegatedManagedServiceAccount objects
• Monitor modifications to the msDS-ManagedAccountPrecededByLink attribute
• Track Ticket Granting Tickets (TGTs) generated for dMSAs that include the KERB-DMSA-KEY-PACKAGE structure
• Implement alerting for unusual authentication patterns involving dMSAs

Akamai has released a PowerShell script that helps defenders identify which identities have permissions to create dMSAs in their domain, and which organizational units are affected.

 How CinchOps Can Help Secure Your Business

At CinchOps, we understand that complex vulnerabilities like BadSuccessor require immediate attention and expert remediation. Our experienced team of cybersecurity professionals can help protect your organization from this critical threat through comprehensive security assessments and rapid response services.

Our BadSuccessor vulnerability response includes:

• Immediate Risk Assessment: We’ll conduct a thorough audit of your Active Directory environment to identify vulnerable configurations and users with dangerous permissions. Our team will use specialized tools to map your exposure and prioritize remediation efforts.
• Rapid Mitigation Implementation: CinchOps will immediately implement protective measures including permission hardening, monitoring configuration, and access controls to prevent exploitation while Microsoft develops an official patch.
• Advanced Monitoring Setup: We’ll deploy sophisticated monitoring solutions that detect potential BadSuccessor attacks in real-time, including custom alerts for dMSA creation, attribute modifications, and suspicious authentication patterns.
• Comprehensive Active Directory Security: Beyond addressing this specific vulnerability, CinchOps provides complete Active Directory security services including privilege management, service account hardening, and implementation of zero-trust principles.

Don’t wait for attackers to discover this vulnerability in your environment. Contact CinchOps today for immediate protection against BadSuccessor and comprehensive Active Directory security. Our local expertise in managed IT support ensures rapid response times and personalized service for businesses throughout Houston and Katy.

With over three decades of experience securing enterprise environments, CinchOps has the knowledge and tools necessary to protect your organization from sophisticated threats like BadSuccessor. Let us help you turn this security challenge into an opportunity to strengthen your overall cybersecurity posture.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Global Law Enforcement Dismantles Lumma Stealer Operation
For Additional Information on this topic: BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

FREE CYBERSECURITY ASSESSMENT