Table of Contents
Can the BadSuccessor Exploit in Windows Server 2025 Lead to a Catastrophic Domain Takeover?
The BadSuccessor vulnerability is a critical privilege escalation flaw in Windows Server 2025, specifically targeting the newly introduced Delegated Managed Service Accounts (dMSA) feature in Active Directory (AD). This issue allows attackers with minimal permissions to gain full control over any user, including domain administrators, across the AD domain—even in default configurations.
What is dMSA?
Delegated Managed Service Accounts (dMSA) are a new feature in Windows Server 2025, designed to replace legacy service accounts by automating password management and improving security. dMSAs can inherit permissions from existing accounts during migration, streamlining transitions but introducing new risks.
How Does the BadSuccessor Attack Work?
The vulnerability exploits the dMSA migration mechanism by manipulating two key attributes: msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState.
Attackers with only “CreateChild” permissions on any Organizational Unit (OU) can create a dMSA and link it to any target account, causing the dMSA to inherit all permissions of the target.
No changes to group memberships or privileged account access are required, making detection difficult and the attack surface broad.
Proof of Concept and Tools
Two public proof-of-concept (PoC) exploits exist, including the .NET-based SharpSuccessor, which automates the attack chain.
The attack chain involves:
- Creating a malicious dMSA impersonating a privileged account.
- Using Kerberos tools (e.g., Rubeus) to obtain tickets and escalate privileges.
- Gaining administrative access to domain controllers and other sensitive resources.
Prevalence and Exposure
Research shows that 91% of AD environments have non-administrative users with sufficient permissions to exploit BadSuccessor. The attack works even if dMSAs are not actively used, as long as at least one Windows Server 2025 domain controller exists in the environment.
Microsoft’s Response and Industry Criticism
Microsoft has acknowledged the vulnerability but rated it as “moderate,” delaying the release of a patch.
Security experts and government agencies have criticized this assessment, with Germany’s BSI rating the issue 9.9/10 in severity.
The lack of an immediate fix and the public disclosure of exploit details have sparked debate about responsible vulnerability management.
Technical Summary of the Attack Process
- Identify an OU with “CreateChild” permissions.
- Create a dMSA object and set its attributes to link it to a privileged account.
- Use Kerberos ticketing tools to authenticate as the dMSA, inheriting the target’s privileges.
- Leverage the new privileges to access or control sensitive resources, including full domain takeover.
Mitigation Strategies
- Restrict dMSA creation and modification permissions to trusted administrators only.
- Audit and monitor for dMSA creation events (Event ID 5137) and attribute changes (Event ID 5136).
- Regularly review and minimize permissions for users and service accounts, especially those related to OUs and dMSAs.
- Consider demoting Windows Server 2025 domain controllers or delaying upgrades until a patch is available.
BadSuccessor represents a severe security risk to organizations running or planning to deploy Windows Server 2025. The combination of low exploitation barriers, widespread exposure, and delayed vendor response underscores the need for immediate administrative action and continuous monitoring to protect Active Directory environments.