Critical dMSA Vulnerability Found in Windows Server 2025, Dubbed “BadSuccessor,” Patch Expected Soon

A newly discovered vulnerability in Windows Server 2025’s delegated Managed Service Account (dMSA) feature has sent shockwaves through the cybersecurity community. Dubbed “BadSuccessor,” this flaw allows attackers with minimal permissions to escalate privileges and potentially compromise entire Active Directory (AD) domains.

What Is the dMSA Feature in Windows Server 2025?

Delegated Managed Service Accounts (dMSAs) were introduced in Windows Server 2025 to simplify service account management and to help organizations migrate from legacy service accounts, reducing risks from attacks like Kerberoasting. dMSAs can be created as standalone accounts or as replacements for existing service accounts, inheriting permissions and access rights as part of the migration process.

The BadSuccessor dMSA Vulnerability

Security researchers from Akamai and other firms have revealed that the dMSA migration mechanism contains a critical design flaw. By exploiting this, an attacker with basic permissions—specifically, write access to any dMSA object or the ability to create dMSAs in an Organizational Unit (OU)—can simulate a migration and inherit the permissions of any user, including domain administrators.

Key Facts:

• The attack works even if your domain is not actively using dMSAs. The mere presence of a Windows Server 2025 domain controller makes the vulnerability exploitable.

• In 91% of real-world environments analyzed, non-admin users had sufficient permissions to launch the attack.

• Proof-of-concept exploits have been released, increasing the urgency for mitigation.

Microsoft’s Response and Risk Assessment

Microsoft has acknowledged the vulnerability, classifying it as moderate severity because exploitation requires specific permissions on dMSA objects. However, security researchers and industry experts argue that the flaw’s ease of exploitation and potential for domain-wide compromise make it a critical risk.

A patch is in development, but as of June 2025, no fix is available. Organizations are urged to take immediate steps to reduce their exposure.

Mitigation and Best Practices

1. Restrict dMSA Permissions:
Limit the ability to create or modify dMSAs to trusted administrators only.

2. Audit and Monitor:

• Log and review all dMSA creation, modification, and authentication events.

• Use available PowerShell scripts to identify users with dMSA-related permissions and remove unnecessary rights.

3. Prepare for Patch Deployment:
Monitor Microsoft’s official channels for the upcoming security update, expected in an imminent Patch Tuesday release.

Broader Impact

The BadSuccessor vulnerability is a stark reminder of the risks posed by convenience features in complex enterprise environments. Organizations relying on Active Directory must act swiftly to harden their environments and stay informed about Microsoft’s patching efforts.

With proof-of-concept exploits in the wild and most AD environments at risk, the dMSA vulnerability in Windows Server 2025 demands immediate attention. By restricting permissions, auditing activity, and preparing for Microsoft’s forthcoming patch, organizations can minimize their exposure and protect their critical infrastructure from domain-wide compromise.

Related Posts

1. Microsoft’s May 2025 Patch Tuesday: Five New Zero-Days Exploited, 72 Flaws Patched: What You Need to Know
2. Microsoft April 2025 Patch Tuesday: Critical Updates Fixing 134 Vulnerabilities, Including a Zero-Day Exploit CVE-2025-29824
3. Microsoft’s March 2025 Patch Tuesday Addresses 57 Vulnerabilities, Including 7 Critical Zero-Day Flaws
4. Microsoft issues largest security update in years for Patch Tuesday January 2025, patches 3 critical zero-day vulnerabilities
5. Microsoft Launches European Security Program: Free Cybersecurity Initiative to Protect European Governments from AI-Driven Threats