Windows Server Flaw Could Let Hackers Take Control of Your Active Directory

Cybersecurity researchers have discovered a critical privilege escalation vulnerability in Windows Server 2025 that could allow attackers to take over any Active Directory (AD) user. The flaw lies in the delegated Managed Service Account (dMSA) feature, turning a security enhancement into a potential gateway for compromise.

How does the dMSA Feature work in Windows Server 2025?

In Windows Server 2025, Delegated Managed Service Account (dMSA) is a machine-bound identity designed to replace traditional service accounts. It enhances security by using automatically managed, non-retrivable credentials that are tied to a specific device, which prevents common attacks like Kerberoasting. dMSAs do not store passwords in Active Directory and restrict usage to authorized machines only, which offers tighter control and integration with features like Credential Guard for enhanced protection.

This critical vulnerability was first discovered by Akamai researcher Yuval Gordon in Windows Server 2025 on April 1. This flaw exists in the default configuration of the server, and it requires minimal technical skills. Gordon named the vulnerability and its associated exploit “BadSuccessor” to indicate how the delegated Managed Service Account (dMSA), which is supposed to be a secure successor to a legacy account, can become a malicious or dangerous replacement if exploited.

Exploitation method and impact on Active Directory

According to the Akamai researcher, cybercriminals exploit how delegated Managed Service Accounts (dMSAs) are created and managed in Active Directory. A temporary link is established between the original user account and the new dMSA object during the dMSA migration process. If an attacker has minimal permissions, they can create a malicious dMSA that impersonates a privileged user. This allows the hackers to escalate privileges by tricking the system into treating the attacker-controlled account as if it were the legitimate, high-privilege user.

This attack is especially dangerous because it doesn’t require full administrative privileges. Since the dMSA feature is enabled by default in domains running Windows Server 2025, the vulnerability is widespread and can be exploited even if dMSAs aren’t actively in use within the organization.

“As long as the feature exists, which it does in any domain with at least one Windows Server 2025 domain controller (DC), (the flaw) becomes available,” Akamai researcher Yuval Gordon explained. “All an attacker needs to perform this attack is a benign permission on any organizational unit (OU) in the domain — a permission that often flies under the radar.”

What is Microsoft’s response?

Currently, Microsoft’s engineers are working on a patch to address the BadSuccessor vulnerability, through there is no ETA yet. Fortunately, there is no evidence that attackers exploited the BadSuccessor vulnerability in the wild. However, that doesn’t necessarily mean it hasn’t been exploited because most organizations aren’t actively monitoring the specific system events that would reveal such an attack.

For the BadSuccessor attack to work, the attacker must have write access to a specific attribute called msds-groupMSAMembership on the dMSA object. This access lets them link the dMSA to a privileged user account, which allows the dMSA to act on that user’s behalf.

Recommendations for IT administrators

Akamai researchers have suggested several detection and mitigation strategies to help organizations defend against the BadSuccessor vulnerability. Until Microsoft releases a fix, administrators should monitor the creation and modification of dMSA objects, particularly in Organizational Units (OUs) where non-admin users have permissions. Moreover, tools like BloodHound can be used to identify users with permissions that might be abused to create or alter dMSAs. IT teams should also track unexpected associations between dMSAs and privileged accounts.

Organizations are advised to restrict who can create or modify objects within Active Directory OUs and avoid granting unnecessary permissions that could facilitate dMSA migration abuse. It’s highly recommended to apply the principle of least privilege, and dMSA support should be disabled if it is not in use.

Lastly, Akamai has released a new PowerShell script to help administrators identify risky permissions and take action (such as removing unnecessary rights or tightening access controls) to reduce the attack surface. If you’re interested, we invite Windows Server administrators to read the full report on Akamai’s official blog.