What is the BadSuccessor vulnerability?

BadSuccessor is a privilege escalation vulnerability in Windows Server 2025 that exploits the new delegated Managed Service Account (dMSA) feature. It allows attackers with minimal permissions to compromise any user in Active Directory, including domain administrators, by manipulating a dMSA to inherit privileges from high-value accounts without actually having access to those accounts.

How does the BadSuccessor attack work?

The attack works in four key steps: 1) An attacker gains access to an Organizational Unit with CreateChild permissions, 2) They create a delegated Managed Service Account (dMSA), 3) They manipulate the msDS-ManagedAccountPrecededByLink attribute to point to a high-privilege account and set msDS-DelegatedMSAState to "completed," and 4) The Key Distribution Center then incorrectly grants the dMSA all privileges of the targeted account, allowing the attacker to impersonate any user without modifying group memberships or alerting security tools.

Which Windows Server versions are affected by BadSuccessor?

Currently, only Windows Server 2025 is affected by the BadSuccessor vulnerability. However, what makes it particularly concerning is that any organization with at least one Windows Server 2025 domain controller is vulnerable, even if they aren't actively using the new dMSA feature. Earlier Windows Server versions (2022 and older) are not affected by this specific vulnerability.

Why is BadSuccessor considered a critical vulnerability?

BadSuccessor is considered critical for several reasons: 1) It requires only common permissions that exist in 91% of organizations, 2) It's described as "trivial to implement" by security researchers, 3) It's extremely difficult to detect with standard monitoring tools, 4) It allows complete domain compromise without triggering typical security alerts, and 5) It doesn't require modification of existing security groups or privileged accounts, making it highly stealthy.

How can organizations detect if they've been compromised by BadSuccessor?

Organizations should monitor for several indicators: 1) Creation of new dMSA objects by non-administrative users, 2) Suspicious modifications to msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState attributes, 3) Unusual Kerberos ticket requests from service accounts, and 4) Service accounts suddenly accessing resources they normally wouldn't. Akamai has released a PowerShell script called Get-BadSuccessorOUPermissions.ps1 to identify potential attack vectors in your environment.

What immediate actions should be taken to mitigate the BadSuccessor vulnerability?

To mitigate BadSuccessor, organizations should: 1) Use Akamai's PowerShell script to identify users who can create dMSAs, 2) Restrict permissions on Organizational Units to prevent unauthorized dMSA creation, 3) Implement enhanced monitoring for dMSA-related attribute changes, 4) Remove unnecessary permissions from non-administrative users, and 5) Apply the principle of least privilege across the Active Directory environment. Organizations should also prepare to deploy Microsoft's patch when it becomes available.

Why did Microsoft classify BadSuccessor as "moderate severity" despite its impact?

Microsoft classified BadSuccessor as moderate severity because it "requires elevated user permissions to be successful." However, security researchers argue this assessment underestimates the vulnerability's impact since the required permissions are common in 91% of organizations. The classification has sparked controversy in the security community, with experts like Yuval Gordon noting the exploit's simplicity and noting surprise that it hadn't been discovered earlier.

Can existing security tools detect BadSuccessor exploitation attempts?

Most standard security tools cannot effectively detect BadSuccessor exploitation because it uses legitimate Active Directory mechanisms in an unexpected way. The attack doesn't modify group memberships or create new privileged accounts that would trigger typical alerts. Instead, it manipulates attribute values that aren't commonly monitored. Organizations need specialized monitoring focusing specifically on dMSA-related attributes and unexpected privilege changes to detect these attacks.

Windows Server 2025 (BadSuccessor): Critical Vulnerability Threatens All Active Directory Users

Published in Security Vulnerabilities | June 14, 2025

BadSuccessor: The Windows Server 2025 Flaw That's Giving IT Admins Nightmares

Heads up, folks — there's a nasty new vulnerability in town, and this one's a doozy. Security researchers just uncovered a critical flaw in Windows Server 2025 that essentially hands over the keys to your entire Active Directory kingdom with minimal effort. They're calling it "BadSuccessor" (because apparently all serious vulnerabilities need catchy names these days), and it's got IT teams scrambling.

Here's the scary part: if you've got even a single Windows Server 2025 domain controller in your environment, you're vulnerable — whether you're actively using the problematic feature or not. And Microsoft? They're basically saying, "Yeah, we'll get to it eventually." Not exactly reassuring.

"As long as you have one Windows Server 2025 domain controller, your domain doesn't even need to be using dMSAs at all—the exploit will work anyway." — Yuval Gordon, the security researcher who discovered this mess

So What Exactly Is This BadSuccessor Thing?

In a nutshell, BadSuccessor is a privilege escalation vulnerability that exploits a fundamental flaw in Windows Server 2025's new delegated Managed Service Account (dMSA) feature. Don't let the technical jargon fool you — this is basically a glitch that lets attackers with seemingly harmless permissions gain god-mode access to your entire network.

According to Akamai Technologies (the security firm that discovered it), this vulnerability "works with the default configuration and is trivial to implement." Translation: hackers don't need to be particularly skilled to exploit this. Even worse, their research found that 91% of examined environments contained users outside the domain admins group with sufficient permissions to pull this off. Yikes.

Not sure if your Active Directory environment is properly secured? Our cybersecurity team can perform a comprehensive security assessment to identify vulnerabilities like BadSuccessor before attackers find them. We've helped dozens of Florida businesses shore up their Active Directory defenses in the past year alone.

How This Attack Actually Works

The technical details are fascinating (if you're into that sort of thing), but here's the simplified version of how attackers can exploit BadSuccessor:

Get a foot in the door — All they need is permission on any organizational unit in your domain. That's it. This is a permission that's commonly granted to help desk staff, IT support, and various other non-admin roles.
Play the impersonation game — They create or modify a delegated Managed Service Account (dMSA) and tweak some attributes to make it look like it's replacing a high-privilege account.
Watch Windows hand over the crown jewels — The system automatically grants the dMSA all permissions of the "replaced" account, even though no legitimate migration actually happened.
Go wild with domain admin powers — Now they can impersonate literally any user in your domain, including administrators, without triggering the usual security alarms.

What makes this particularly sneaky is that the attack doesn't require creating new admin accounts or changing group memberships — actions that might trigger alerts or leave obvious audit trails. It's like having a master key that doesn't show up in any of your key logs.

Why Everyone Running Windows Server 2025 Should Be Worried

The most alarming aspect of BadSuccessor is its universal impact. Most vulnerabilities affect specific configurations or require certain features to be enabled. Not this one.

Even if you've never heard of dMSAs or haven't implemented them, you're still vulnerable as long as you're running Windows Server 2025. It's like buying a new car with a fancy feature you never use, only to discover that feature can let anyone steal your car — even if you've never pressed that particular button.

And let's be honest — many organizations have already upgraded to Windows Server 2025 for its performance improvements and new features. If you're among them, you've got some work to do.

Need help securing your Windows Server environment? Our managed IT services include proactive server management and security monitoring to protect against emerging threats like BadSuccessor. We can implement the necessary mitigations while you focus on running your business.

Microsoft's Response (Or Lack Thereof)

Here's where things get frustrating. Microsoft has acknowledged the vulnerability but classified it as "Moderate severity," claiming it "does not meet our bar for immediate servicing, as the technique requires elevated user permissions to be successful."

Security experts are scratching their heads at this assessment. The "elevated permissions" Microsoft refers to are actually quite common in most organizations. As Yuval Gordon noted, "We were surprised that we were first to discover it" — suggesting the exploit is so straightforward that they expected Microsoft to have caught it during testing.

The bottom line? Don't hold your breath for an immediate patch. Microsoft plans to address this in a future update, but for now, you're on your own. Well, not entirely on your own — we've got some practical steps you can take right now.

Protecting Your Systems While Microsoft Takes Its Sweet Time

Since Microsoft isn't rushing to fix this, here's what you should do ASAP to protect your environment:

Action Item	Difficulty	Impact
Run Akamai's PowerShell script to identify at-risk users	Easy	High
Restrict permissions on organizational units	Medium	High
Monitor dMSA-related attribute changes	Medium	Medium
Review and remove unnecessary permissions	Hard	High
Apply least privilege principle across AD	Hard	Very High

The most critical step is identifying which users in your environment have permissions that could be used to exploit this vulnerability. Akamai has released a PowerShell script that can help with this — run it immediately if you have Windows Server 2025 in your environment.

Don't have the in-house expertise to implement these mitigations? Our remote support team can help secure your Active Directory environment against BadSuccessor and other threats. We can even set up automated monitoring to alert you if someone attempts to exploit this vulnerability in your network.

Getting Into the Technical Weeds (Only If You're Curious)

OK, so you want the nerdy explanation? I don't blame you — this stuff is actually pretty fascinating if you're into the technical side of things.

Here's what's really happening: The whole mess starts with how Windows handles something called the Key Distribution Center (KDC). When someone creates one of these fancy new dMSA accounts and says "hey, this is replacing an old account," the system just... believes them. No questions asked! It's like if you walked into a bank, pointed at someone else's account and said "that's actually mine now" — and the bank just shrugged and handed over the money.

The technical bit involves an attribute with an absurdly long name — msds-groupMSAMembership. By tweaking this little setting, attackers basically tell Windows "this account can act on behalf of THAT account"... and Windows just goes "sounds good to me!" No verification. No double-checking. Nothing.

I was talking with our security team about this yesterday, and they pointed out something that makes this vulnerability stand out from the usual Active Directory headaches:

You don't need to be some high-level admin to pull this off — just regular ol' OU permissions that tons of IT staff already have
Your security tools probably won't catch it happening — it looks like normal activity
You don't need to be some elite hacker to do this... one security researcher called it "trivial" (ouch!)
And the kicker? EVERY Windows Server 2025 domain controller is vulnerable. Not just certain configurations or setups. All. Of. Them.

That's why we're scratching our heads at Microsoft calling this "moderate severity." Like... really? When someone can take over your entire domain with basic permissions? Come on.

What This Actually Means for Your Business

Look, I've been in IT long enough to see this pattern repeat itself. Microsoft adds some shiny new feature to Windows Server, and boom — the attack surface gets bigger. Sometimes in ways that not even Microsoft's security folks saw coming.

The timing couldn't be worse, honestly. Most IT teams I talk to are already stretched thinner than my patience during a Windows update. Nobody has extra security people just sitting around waiting for the next vulnerability to drop! And without a patch, you're stuck cobbling together manual fixes while also trying to watch for anyone trying to exploit this thing.

If there's a silver lining here (and I'm really reaching for one), it's that this might finally get some organizations to clean up their Active Directory permissions. I can't tell you how many companies I've worked with where practically everyone has way more access than they should. This BadSuccessor thing might be the kick in the pants some IT directors need to finally implement proper least-privilege controls.

BTW — if you're worried about recovering from a security incident (and who isn't?), check out our backup solutions. We set up immutable backups that hackers can't mess with, even if they compromise your network. One client told me last week it was the best sleep aid they'd ever purchased!

Your Action Plan (Like, Right Now)

So Microsoft's taking their sweet time with a fix. Here's what you should be doing yesterday:

Ignore Microsoft's "moderate" rating — treat this like the hair-on-fire emergency it actually is
Download and run that Akamai script to figure out who in your org could potentially exploit this thing
Lock down those permissions ASAP — yes, some help desk folks might complain. Too bad.
Set up alerts for anything touching those dMSA attributes, especially msds-groupMSAMembership and that other ridiculously long one (msds-ManagedAccountPrecededByLink)
Use this as an excuse for that AD cleanup you've been putting off — you know, the one your security team has been nagging about since 2021?

And yeah, keep an eye out for Microsoft's patch... whenever they decide to grace us with it. The second it drops, deploy it. Don't wait for your normal patch cycle. This isn't the time for that.

We've actually been helping a bunch of clients deal with this over the past couple weeks. One healthcare company called us in a panic when they realized about 30% of their staff had the permissions needed to exploit this vulnerability. Yikes! We got them locked down within a day, though.

Want to stay in the loop on security stuff like this? Our security blog and AI threat coverage are updated way more often than I update my own phone. Worth bookmarking if you're the person who gets blamed when things go sideways.

Don't let BadSuccessor be the reason you're working late nights and weekends. Get ahead of this one. Drop us a line if you need a hand sorting it out, or just grab a quick quote for a security assessment.

Trust me on this one — I've cleaned up enough security messes to know that prevention costs pennies compared to recovery. Don't be the person explaining to your CEO why the entire network is compromised because "Microsoft said it was only moderate severity."

Worried about your backup strategy in case of a security breach? Our comprehensive backup solutions ensure you can quickly recover from ransomware attacks or other security incidents. With immutable backups that can't be altered by attackers, you'll have peace of mind knowing your data is safe.

What You Should Do Right Now

If you're running Windows Server 2025, don't wait for Microsoft to release a patch. Take these steps immediately:

Treat this as a high-priority issue regardless of Microsoft's severity rating
Run Akamai's detection script to identify users who could potentially exploit this vulnerability
Implement all recommended mitigations as soon as possible
Set up monitoring for suspicious activity related to dMSA manipulation, particularly changes to the msds-groupMSAMembership and msds-ManagedAccountPrecededByLink attributes
Review your overall Active Directory security posture — this is a good opportunity to clean up unnecessary permissions

And of course, stay tuned for updates from Microsoft. When they do eventually release a patch for this vulnerability, you'll want to deploy it immediately.

In the meantime, if you're concerned about your exposure to this vulnerability or need help implementing the recommended mitigations, our team of security experts is ready to assist. We've already helped several clients secure their environments against BadSuccessor and can do the same for your organization.

Want to stay informed about the latest security threats? Follow our security vulnerabilities blog and AI security threats coverage for regular updates on emerging cybersecurity issues affecting businesses like yours.

Don't let BadSuccessor catch you off guard. Take action now to protect your Active Directory environment, and contact us if you need expert assistance. You can also request a quote for our comprehensive security assessment services.

Remember, when it comes to cybersecurity, being proactive is always less expensive than being reactive. Don't wait for an attack to happen before taking this vulnerability seriously.