Do Son 
A critical vulnerability has been discovered in Windows Server 2025, enabling threat actors to escalate privileges and gain access to any user account within Active Directory. The flaw lies within a newly introduced feature known as Delegated Managed Service Accounts (dMSA), originally implemented to counter Kerberoasting attacks. Ironically, this very feature has now become the foundation for a novel attack technique dubbed BadSuccessor.
The dMSA functionality is designed to replace legacy service accounts with more secure alternatives. According to Microsoft’s documentation, dMSA prevents authentication using the original account’s password and redirects authentication requests to the Local Security Authority (LSA), granting dMSA all the privileges previously assigned to its predecessor. Moreover, dMSA autonomously identifies the devices on which the legacy account was used and extends its influence accordingly.
Research conducted by Akamai revealed that in nearly 91% of audited infrastructures, users outside the Domain Admins group possessed sufficient privileges to carry out the attack. The vulnerability’s danger lies in how Kerberos authentication is handled: during the process, the Key Distribution Center (KDC) embeds not only the dMSA’s Security Identifier (SID) in the ticket but also the identifiers of the replaced account and its associated groups.
This creates a loophole: by simulating a migration, attackers can transfer dMSA privileges to any other account—including those with domain administrator rights. Crucially, this maneuver requires no access to the original account—merely write permissions on the attributes of any dMSA object. Once this link is altered, the dMSA instantly inherits full privileges, as though a legitimate migration had occurred.
Despite the potentially catastrophic implications, Microsoft has assigned the vulnerability a moderate severity rating and has not issued an immediate patch, citing the necessity of specific permissions for exploitation. Nevertheless, a fix is currently in development.
In the interim, organizations are advised to restrict the creation of dMSAs and tighten access controls associated with their use. Akamai has also released a PowerShell script that helps identify all entities with the rights to create dMSAs, as well as the organizational units where this is permissible.
According to the research team, this vulnerability exposes a previously unknown and covert pathway for compromising any user account in the domain, granting access privileges equivalent to DCSync rights—commonly leveraged in attacks targeting domain controllers.
Donate