BadSuccessor Vulnerability in Windows Server 2025 Allows AD User Impersonation

Security Awareness /

A critical privilege escalation issue, known as the BadSuccessor vulnerability in Windows Server 2025, poses a significant threat to Active Directory (AD) environments. This flaw exploits the newly introduced delegated Managed Service Accounts (dMSAs) feature, enabling attackers to impersonate any AD user, including domain administrators, without altering existing accounts or group memberships.

Understanding the BadSuccessor Vulnerability

The dMSA feature in Windows Server 2025 is designed to facilitate the migration of legacy service accounts by allowing a dMSA to inherit permissions from an existing account. However, the vulnerability arises from the way this migration process handles permissions.

By manipulating two specific attributes on a dMSA object: 

  • msDS-ManagedAccountPrecededByLink: Points to the distinguished name (DN) of the target (superseded) account.
  • msDS-DelegatedMSAState: Indicates the state of the migration process.

An attacker can simulate a completed migration, causing the dMSA to inherit the permissions and group memberships of the target account. This can be done without any changes to the target account itself and without requiring high-level privileges. In environments where users have permissions to create or modify dMSAs within an organizational unit (OU), this vulnerability can be exploited to gain elevated access, potentially compromising the entire domain.

Impact and Prevalence

  • Widespread Exposure: Independent analysis revealed that in 91% of tested environments, non-administrative users possessed the necessary permissions to execute this attack.  
  • Default Configuration Vulnerability: The attack works with the default configuration of Windows Server 2025, meaning organizations are at risk even if they haven’t actively implemented dMSAs.  
  • Microsoft’s Response: Microsoft has acknowledged the vulnerability but classified it as “moderate” severity, indicating that it does not meet the threshold for immediate patching. 

Mitigation Strategies

Until a patch is released, organizations should take the following actions to mitigate the risk:

  1. Audit dMSA Creation Events: Monitor for Event ID 5137 to detect the creation of new dMSAs.
  2. Monitor Attribute Changes: Track changes to the msDS-ManagedAccountPrecededByLink attribute using Event ID 5136.
  3. Restrict dMSA Permissions: Limit the ability to create or modify dMSAs to trusted administrators only.
  4. Implement Detection Scripts: Use scripts to identify users with dMSA-related permissions that could enable this technique.
  5. Regularly Review Permissions: Conduct periodic reviews of user permissions, especially those related to creating or modifying dMSAs within OUs.

Conclusion

The BadSuccessor vulnerability in Windows Server 2025 highlights the need for strict permission management and continuous monitoring in Active Directory environments. Organizations should apply mitigation strategies to reduce exposure while awaiting an official patch.

Leave a Comment

Your email address will not be published. Required fields are marked *