[German]Delegated Managed Service Accounts (dMSAs) have been introduced in Windows Server 2025. These are service accounts for the Active Directory (AD) that are intended to enable new functions. Security researchers have now discovered that by misusing dMSAs, attackers can take over any principal in the domain.
Advertising
I came across this topic on May 21, 2204 via the following tweet. Security researcher Yuval Gordon has discovered a serious problem that Microsoft (currently) does not want to fix.
A new, unpatched Active Directory Privilege Escalation vulnerability allows compromise of an arbitrary user in AD, and works with the default configuration. All an attacker needs to carry out this attack is a benign privilege on any organizational unit (OU) in the domain – a privilege many accounts often have unnoticed.
And the best part, writes the discoverer: The attack works by default – the domain doesn't even need to use dMSAs. As long as the function exists, which is the case in every domain with at least one Windows Server 2025 domain controller (DC), the vulnerability can be exploited. The security researcher then published the details on May 21, 2025 in the Akamai blog in the article BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory.
What are sMSAs?
Microsoft has introduced delegated managed service accounts (dMSAs) in Windows Server 2025. A dMSA is a new type of service account in Active Directory (AD) that extends the capabilities of gMSAs (Group Managed Service Accounts).
Advertising
A dMSA is usually created to replace an existing service account. A dMSA allows existing unmanaged service accounts to be migrated by seamlessly converting them into dMSAs. To enable a seamless transition, a dMSA can "inherit" the permissions of the old account during the migration process. The migration closely links the dMSA to the replaced account.
BadSuccessor for overtake AD accounts
By analyzing the migration process in Windows Server 2025, Akamai security researcher Yuval Gordon has discovered a vulnerability that allows attackers to compromise any user in the Active Directory (AD).
The attack called BadSuccessor exploits the Delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025, which works with the default configuration and is easy to implement.
The migration process of a dMSA can be triggered by calling the new cmdlet Start-ADServiceAccountMigration, internally using a new LDAP RootDSE operation called migrateADServiceAccount. The CmdLet requires the Distinguished Name (DN) of the dMSA as well as the DN of the replaced account. And a constant corresponding to StartMigration is required.
The security researcher describes the processes for migrating to an old AD account in the blog post. The Privilege Attribute Certificate (PAC) is used for Kerberos authentication. And when logging in using dMSA, they discovered that the PAC not only contained the SID of the dMSA, but also the SIDs of the replaced service account and all associated groups.
This led to the question of whether this behavior of PAC inheritance, which is controlled by a single attribute msDS-ManagedAccountPrecededByLink, could be manipulated. The security researcher describes a tricky way to abuse dMSA during account migration to elevate the (possibly low) privileges of this account for AD.
This problem probably affects most organizations that rely on AD, writes Yuval Gordon. In 91% of the environments Akamai investigated, users outside the domain administrator group were found to have the necessary privileges to carry out this attack.
The problem: The Akamai security researchers informed Microsoft about the findings in advance on April 1, 2025. Microsoft reviewed everything, including the proof of concept (PoC), classified the whole thing as "moderate", which does not need to be patched immediately, and finally approved the publication of the findings.
Microsoft assumes that the attacker must already have certain authorizations for the dMSA object in order to successfully exploit it. In response to the scenario of creating a new dMSA, Microsoft referred tof KB5008383,
which discusses the risks associated with the CreateChild authorization.
Currently, Microsoft does not intend to fix the issue for the above reasons – but will fix the issue at some point in the future (so there is no patch). Therefore, organizations need to take other proactive measures to reduce their vulnerability to this attack, writes Yuval Gordon. Full details of the attack and strategies for detection and defense can be found in the Akamai blog post.
Similar articles
Windows 11 24H2/Server 2025 with huge Hyper-V bug?
Microsoft's unloved ReFS files system – CPU/RAM utilization bug in Windows Server 2025 unfixed
Advertising
