Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise

Avatar
A privilege escalation flaw has been demonstrated in Windows Server 2025 that makes it possible for attackers to compromise any user in Active Directory (AD). “The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement,” Akamai security researcher Yuval Gordon said in a

A privilege escalation flaw has been demonstrated in Windows Server 2025 that makes it possible for attackers to compromise any user in Active Directory (AD).

“The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement,” Akamai security researcher Yuval Gordon said in a report shared with The Hacker News.

“This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack.”

What makes the attack pathway notable is that it leverages a new feature called Delegated Managed Service Accounts (dMSA) that allows migration from an existing legacy service account. It was introduced in Windows Server 2025 as a mitigation to Kerberoasting attacks.

The attack technique has been codenamed BadSuccessor by the web infrastructure and security company.

“dMSA allows users to create them as a standalone account, or to replace an existing standard service account,” Microsoft notes in its documentation. “When a dMSA supersedes an existing account, authentication to that existing account using its password is blocked.”

“The request is redirected to the Local Security Authority (LSA) to authenticate using dMSA, which has access to everything the previous account could access in AD. During migration, dMSA automatically learns the devices on which the service account is to be used which is then used to move from all existing service accounts.”

The problem identified by Akamai is that during the dMSA Kerberos authentication phase, the Privilege Attribute Certificate (PAC) embedded into a ticket-granting ticket (i.e., credentials used to verify identity) issued by a key distribution center (KDC) includes both the dMSAs security identifier (SID) as well as the SIDs of the superseded service account and of all its associated groups.

This permissions transfer between accounts could open the door to a potential privilege escalation scenario by simulating the dMSA migration process to compromise any user, including domain administrators, and gain similar privileges, effectively breaching the entire domain even if an organization’s Windows Server 2025 domain isn’t using dMSAs at all.

“One interesting fact about this ‘simulated migration’ technique, is that it doesn’t require any permissions over the superseded account,” Gordon said. “The only requirement is to write permissions over the attributes of a dMSA. Any dMSA.”

“Once we’ve marked a dMSA as preceded by a user, the KDC automatically assumes a legitimate migration took place and happily grants our dMSA every single permission that the original user had, as though we are its rightful successor.”

Akamai said it reported the findings to Microsoft on April 1, 2025, following which the tech giant classified the issue as moderate in severity and that it does not meet the bar for immediate servicing due to the fact that successful exploitation requires an attacker to have specific permissions on the dMSA object, which suggests an elevation of privileges. However, a patch is currently in the works.

Given that there is no immediate fix for the attack, organizations are advised to limit the ability to create dMSAs and harden permissions wherever possible. Akamai has also released a PowerShell script that can enumerate all non-default principals who can create dMSAs and list the organizational units (OUs) in which each principal has this permission.

“This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks,” Gordon said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks

Next Post

Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks

Related Posts

Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers

Cybersecurity researchers have disclosed three security flaws in the Rack Ruby web server interface that, if successfully exploited, could enable attackers to gain unauthorized access to files, inject malicious data, and tamper with logs under certain conditions. The vulnerabilities, flagged by cybersecurity vendor OPSWAT, are listed below - CVE-2025-27610 (CVSS score: 7.5) - A path traversal
Avatar
Read More

Between Buzz and Reality: The CTEM Conversation We All Need

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn’t have asked for a better kickoff panel: three cybersecurity leaders who don’t just talk security, they live it. Let me introduce them. Alex Delay, CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead, Director of Cybersecurity at Avidity
Avatar
Read More

Blind Eagle Uses Proton66 Hosting for Phishing, RAT Deployment on Colombian Banks

The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66. Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its
Avatar
Read More