Privilege Escalation by Abusing dMSA: The BadSuccessor Vulnerability
Executive Summary
On 23.05.2025, a new attack method exploiting the design flaw of the Delegated Managed Service Account (dMSA) feature that comes with Windows Server 2025 was detected and the exploit code was published, by Yuval Gordon from Akamai. This method is called “BadSuccessor” and is classified as a new attack technique in addition to the already-known methods. With this technique, an unprivileged user in the Active Directory environment can log in and take over any administrator account name by abusing the dMSA accounts published by Microsoft. This exploitation technique causes the entire Active Directory environment to be compromised.
Vulnerability detection and mitigation operations can be carried out through the details in the document.
Introduction
Through the technique known as BadSuccessor, disclosed by Akamai security researchers, an attacker can compromise the entire infrastructure in environments utilizing Windows Server 2025 Domain Controllers by leveraging two distinct attack scenarios.
The first scenario allows any unprivileged user or computer account within an Active Directory environment to create a vulnerable dMSA account, provided that it possesses the “Create msDS-DelegatedManagedServiceAccount” or “Create all child objects” permission on any “Container” or “Organizational Unit” object, or holds broadly defined rights encompassing these permissions such as “GenericAll,” “WriteDACL,” “WriteOwner,” or “Owner.”
In the second scenario, an attacker can create a vulnerable dMSA account that already exists in the Active Directory environment, as long as they have permission to write to the “msDS-ManagedAccountPrecededByLink” and “msDS-DelegatedMSAState” attributes of existing dMSA objects. This can also be done if they have broader privileges that include those permissions, such as “GenericWrite,” “GenericAll,” “WriteDACL,” “WriteOwner,” or “Owner.”
The attacker manipulates the “msDS-ManagedAccountPrecededByLink” and “msDS-DelegatedMSAState” attributes, which are the root cause of the vulnerability, to impersonate the identity of a user of his choice, causing the entire Active Directory environment to be compromised.