Earning Ranks by Sinking Fangs: A dMSA’s Rise to Power

In the ever-shifting battlefield of cybersecurity, privilege is often earned—except when it’s quietly forged. A new vulnerability in Windows Server 2025 exposes Active Directory (AD) environments to a stealthy privilege escalation attack that requires no stolen credentials, no group membership changes, and no alerts. At the center of this breach is a mechanism designed for modernization: delegated Managed Service Accounts (dMSAs). Yet in the wrong hands, it becomes a ticket to the top ranks of a domain—an unearned promotion from private to general.

APT-like in its subtlety and devastating in scope, the technique dubbed BadSuccessor exploits a design oversight in how dMSAs inherit privileges from legacy accounts. The result: an attacker with modest permissions can impersonate a high-ranking account and gain full domain control, bypassing traditional detection mechanisms.

Stowaways Outrank Privates and Generals

The flaw affects any Active Directory environment where at least one domain controller runs Windows Server 2025. That alone makes the attack surface extensive—but what makes it truly dangerous is the prevalence of misconfigured access rights. According to researchers at Akamai, 91% of real-world environments they examined had unprivileged users with permission to create dMSAs within specific organizational units (OUs).

These users are far from officers in the domain hierarchy—yet their control over object creation allows them to introduce rogue service accounts into the infrastructure. From there, with only minimal adjustments, these “stowaway” accounts can inherit the privileges of any target: Domain Admins, key service accounts, even critical infrastructure identities.

And crucially, this maneuver doesn’t rely on cracking passwords or exploiting buffer overflows. It leverages a legitimate mechanism, executing entirely within the scope of Active Directory’s own delegation model. The attacker doesn’t need to elevate any user—they just create a new object and trick the system into treating it as a promoted successor.

Stealing the Ranks

The attack hinges on two attribute changes—that’s all.

First, the attacker creates a dMSA within an organizational unit they control. Then they assign the attribute msDS-ManagedAccountPrecededByLink, pointing it to the account they want to impersonate. Next, they flip a second attribute that marks the “migration” from the legacy account to the new dMSA as complete.

At this point, the Key Distribution Center (KDC) is fooled into believing that the dMSA is the legitimate successor to the original account. As a result, when it issues Kerberos tickets (via TGT and TGS), it grants the dMSA all the access rights of its predecessor—without verifying group memberships or prompting alerts.

With the help of tools like Rubeus, the attacker can then request service tickets and authenticate as a privileged account across the domain. They haven’t elevated themselves. They haven’t changed a group. They’ve planted a fake officer in the hierarchy and had it decorated by the system itself.

This is not just privilege escalation—it’s rank theft at the protocol level.

Dishonorable Discharge: Remediation Before the Patch

At the time of writing, Microsoft is working on a patch to close this loophole. But in the meantime, organizations must treat this vulnerability as a high-risk insider escalation vector—and act accordingly.

Immediate defensive measures include:

• Restricting the ability to create dMSAs and child objects to trusted administrators only.

• Auditing the creation of dMSAs, especially in OUs where unprivileged users may have object creation rights.

• Monitoring attribute changes, particularly modifications to msDS-ManagedAccountPrecededByLink and migration status fields.

• Tracking dMSA authentication activity across Kerberos, including TGT and TGS requests.

Akamai has also published a script to help defenders identify accounts that currently have the permissions needed to exploit this flaw. Organizations should use this tool to revoke dMSA creation rights from any principals that haven’t earned those stripes.

In the domain chain of command, access must be earned—not assumed. But until this vulnerability is patched, Windows Server 2025 is issuing medals to impostors. It’s up to defenders to enforce the honor code and stop rogue promotions before they take the whole domain with them.

https://www.helpnetsecurity.com/2025/05/22/unpatched-windows-server-vulnerability-allows-active-directory-users-full-domain-compromise/