Significant Vulnerability in Windows Server 2025 dMSA Poses Risk of Active Directory Compromise

A recently identified privilege escalation vulnerability in Windows Server 2025 poses significant risks to organizations utilizing Active Directory (AD). This flaw allows attackers to compromise any user account within AD, leveraging the delegated Managed Service Account (dMSA) feature introduced with this server version.

Yuval Gordon, a security researcher from Akamai, noted that the attack takes advantage of the dMSA capabilities, which are designed to enhance security against existing threats. The vulnerability is strikingly easy to exploit and does not require intricate configurations. Research indicated that 91% of environments analyzed contained users outside of the domain admin group who possessed the necessary permissions to execute this attack.

A key aspect of the vulnerability is the functionality of dMSA, which allows for the transition from traditional service accounts to more secure accounts. This feature was implemented to mitigate risks, including potential Kerberoasting attacks. However, the exploitation of this new feature is now an evident concern.

The attack technique, referred to as BadSuccessor, enables unauthorized users to exploit a flaw in the Kerberos authentication process associated with dMSA. During this phase, a Privilege Attribute Certificate (PAC) incorporated in the ticket-granting ticket includes both the dMSA’s security identifier (SID) and those belonging to the preceding service account and its affiliated groups. This capacity for permissions transfer can facilitate a privilege escalation, permitting attackers to impersonate any user, including domain administrators, thus compromising the integrity of the entire domain.

An important point raised by Gordon indicates that the simulated migration process does not necessitate specific permissions on the superseded account; it only requires the ability to modify attributes of a dMSA. Once designated as the successor, the key distribution center (KDC) recognizes this as a legitimate migration and grants the dMSA all permissions of the original user.

Akamai reported this vulnerability to Microsoft on April 1, 2025. Microsoft characterized the issue as moderate in severity, noting that successful exploitation necessitates certain permissions on the dMSA object, indicative of an elevation of privileges. A patch is underway to address the vulnerability.

In the absence of a prompt fix, organizations are urged to restrict the ability to create dMSAs and to reinforce permissions wherever feasible. Akamai has made available a PowerShell script designed to enumerate all non-default principals authorized to create dMSAs and identify the organizational units (OUs) where these permissions apply.

This vulnerability highlights a considerable and previously unidentified risk that enables any user with CreateChild permissions within an OU to gain unauthorized access to any user in the domain, effectively bestowing them similar privileges to those utilized in DCSync attacks. Organizations are encouraged to evaluate and enhance their security measures to mitigate the risks associated with this vulnerability.