Akamai researchers discover a critical flaw in the use of delegated Managed Service Accounts (dMSA) that exposes organizations using Windows Server 2025 to privilege escalation attacks.
A recent investigation published by Yuval Gordon, a cybersecurity expert at Akamai, has revealed a serious vulnerability in Windows Server 2025 that affects Active Directory environments. The flaw, dubbed BadSuccessor, allows an attacker to silently escalate privileges and gain full control of the domain without needing to exploit traditional vulnerabilities or compromise credentials.
The vulnerability lies in the operation of delegated Managed Service Accounts (dMSA), a new feature introduced by Microsoft to facilitate service account management. However, according to the report, the migration mechanism for these accounts can be manipulated to inherit permissions from any account, including domain administrators, without requiring elevated privileges.
Privilege escalation without touching privileged accounts
BadSuccessor allows any user with permissions to create dMSA objects—common in certain environments with poorly configured delegation—to link a new dMSA with any other account in the domain (including Domain Admins) by simply modifying two attributes:
msDS-ManagedAccountPrecededByLink: which sets the “inherited” account.msDS-DelegatedMSAState: which simulates a completed migration.
Once the link is established, the Key Distribution Center (KDC), when generating the authentication ticket for the dMSA, adds the privileges and groups of the original account to the new object without any additional validation.
Impact: from a non-privileged user to full domain control
The attack works even in domains that are not actively using dMSAs. It is sufficient for there to be a domain controller with Windows Server 2025. This massively expands its reach, as it is a default configuration of the operating system.
In addition to obtaining administrative privileges, the vulnerability also allows for reusing cryptographic keys, which paves the way for identity spoofing and long-term access to systems and services within the domain.
Microsoft acknowledges it, but no patch available
Akamai notified Microsoft in April 2025. The company acknowledged the flaw but classified it as a moderate risk, arguing that a specific permission (CreateChild) is required, which they believe already implies a high level of privilege. Currently, no patch has been released.
However, Akamai warns that this permission is not typically considered high risk, and that many environments allow its use without strict controls, making the threat difficult to detect.
How to detect and mitigate BadSuccessor
While awaiting an official fix, Akamai has published a series of recommendations for detecting and mitigating potential abuses:
Detection:
- Audit the creation of dMSAs using event ID 5137.
- Monitor changes to the
msDS-ManagedAccountPrecededByLinkattribute with event ID 5136. - Review dMSA authentications using event IDs 2946, revealing when a TGT is generated with the inherited key package.
Mitigation:
- Tightly restrict who can create dMSAs, especially in containers and Organizational Units (OUs).
- Use auditing tools to identify all users with CreateChild permissions over dMSAs.
- Apply the principle of least privilege to service account management.
Conclusion
The BadSuccessor case is another example of how new features designed to simplify administration can become critical attack vectors if not accompanied by proper controls. The ability for an attacker to escalate privileges without modifying security groups or generating common alerts makes detection especially challenging.
Organizations already using Windows Server 2025 should review their Active Directory configuration, limit delegation, and implement proactive monitoring measures. As Akamai notes in its report, “You don’t need a vulnerability to exploit a system, just a misunderstood behavior.”
Source: Akamai