A privilege-escalation vulnerability has been discovered in Windows Server 2025's new delegated Managed Service Account (dMSA) feature. Dubbed "BadSuccessor," this flaw allows an authenticated user to gain Domain Admin privileges without complex attack chains.
Discovered by Akamai Security Intelligence researcher Yuval Gordon, BadSuccessor allows any user with write permission on a dMSA object or even just the ability to create one to trick the Key Distribution Center (KDC) into granting them the full privileges of any Active Directory account. The attack can compromise any Active Directory domain with at least one Windows Server 2025 DC, even if dMSAs are actively used.
The vulnerability exploits the trust relationship between dMSAs and their superseded accounts. Here’s how the attack unfolds:
In addition, the KDC’s KERB-DMSA-KEY-PACKAGE contains both current and previous keys, enabling extraction of encrypted passwords for the superseded account via its “previous-keys” field.
At CovertSwarm, we’ve already developed an internal proof-of-concept exploit to validate customer resilience against this threat. Our clients benefit from early protection while we withhold public release to prevent adversaries from weaponizing the attack. This approach exemplifies our constant attack methodology: identifying vulnerabilities before malicious actors can exploit them.
Get in touch to learn more about our proof-of-concept exploit.
Until Microsoft releases its promised patch, organizations must implement strict defensive measures:
Detection resources: Akamai has published official detection code at https://github.com/akamai/BadSuccessor. As always, review any external code before execution in your environment.
CovertSwarm has developed an internal proof-of-concept exploit to validate customer resilience. We are withholding public release to prevent adversaries from weaponising the attack; sharing it privately ensures we can test client defenses while minimizing risk.
More information will be published in the coming days.