The upcoming release of Windows Server 2025 has generated excitement for new features and enhanced capabilities, but a significant security concern has surfaced that threatens to overshadow these advancements: a vulnerability in the Active Directory (AD) operation known as the “BadSuccessor” flaw. This critical vulnerability, first revealed by Akamai, a major content delivery network and cloud security provider, exposes a rights extension gap that could allow attackers to escalate privileges in a manner both trivial and potentially catastrophic for many environments. As the community anticipates Microsoft's official response, IT professionals must remain vigilant and implement recommended mitigations to secure their domains.
The “BadSuccessor” vulnerability is tied directly to one of the headline features introduced with Windows Server 2025: delegated Managed Service Accounts, or dMSAs. These accounts represent an evolution of Microsoft's longstanding Group Managed Service Accounts (gMSAs). In theory, dMSAs are designed to enhance security by providing service accounts with more manageable, delegated privileges tailored to specific needs within Active Directory.
However, Akamai’s security research team found that the default configuration of dMSAs in Windows Server 2025 actually creates an opening that is both easy to exploit and alarmingly widespread. Rather than limiting the ability to create and manipulate dMSAs to tightly trusted administrative accounts, most environments examined by Akamai had non-admin users or service accounts with the required permissions to exploit the vulnerability.
In their analysis, Akamai reported that “in 91 percent of the environments we examined, we discovered user accounts outside the domain admin group that have the necessary rights to execute the attack.” This suggests an industry-wide configuration drift or a flaw in recommended best practices, amplified by the new dMSA feature’s defaults.
What makes the issue particularly severe is that the attack does not require dMSAs to be actively used within a domain. The mere presence of a single Windows Server 2025 instance on a network is sufficient to introduce the vulnerability—regardless of adoption or deployment maturity. Even organizations in the evaluation or pilot stages could be at risk if their permissions are not tightly controlled.
The mechanics are straightforward: if an attacker gains an account within an OU and has permission to create or modify a dMSA, that account can be abused to extend privileges broadly within the domain, potentially taking over other principals and moving laterally across systems and resources.
Akamai’s research, which surveyed a broad cross-section of client environments, suggests that the issue is not isolated to obscure or fringe deployments. Rather, a large percentage of organizations—even those with experienced IT teams—have inadvertently left themselves open to this attack by retaining legacy permissions models or by failing to review dMSA-related rights following the introduction of Windows Server 2025.
This interim period, where a known and actively publicized vulnerability exists without a corresponding patch, is often the most dangerous. Awareness in the attacker community is high, and exploits could be developed quickly, leaving unprepared organizations exposed.
The output of this script highlights not only which accounts can create dMSAs, but also the specific Organizational Units (OUs) for which they possess this right. This granularity is critical, as permissions may have been delegated for legacy workflows, third-party integrations, or via group policy inheritance in unexpected ways.
It is also important to remain cautious of early exploit code or tools circulating in public repositories before official advisories or security updates from Microsoft.
Moreover, the incident highlights several enduring best practices:
For administrators, it is an opportunity to revisit and reinforce the security culture within their organizations. Tools and architectures will continue to evolve, but the basics of rights management, continuous monitoring, and rapid response remain fundamental.
Security is a process, not a product—no system, no matter how mature, is immune to misconfiguration or oversight. The onus remains on every stakeholder to understand, mitigate, and communicate risks as new technologies are adopted.
Until Microsoft delivers an official patch, the best defense is vigilance: auditing dMSA permissions, restricting creation rights to trusted administrators, and keeping a close watch on security advisories. The incident underscores the critical importance of active engagement with industry partners, robust internal processes, and an unwavering commitment to least privilege.
Windows Server 2025 will undoubtedly deliver new capabilities that advance the state of enterprise infrastructure. But the lessons of “BadSuccessor” should inform every deployment, ensuring that innovation and security move hand-in-hand into the next era of Active Directory management.
Source: heise online Windows Server 2025: Rights extension gap in AD
Understanding the “BadSuccessor” Vulnerability
The “BadSuccessor” vulnerability is tied directly to one of the headline features introduced with Windows Server 2025: delegated Managed Service Accounts, or dMSAs. These accounts represent an evolution of Microsoft's longstanding Group Managed Service Accounts (gMSAs). In theory, dMSAs are designed to enhance security by providing service accounts with more manageable, delegated privileges tailored to specific needs within Active Directory.However, Akamai’s security research team found that the default configuration of dMSAs in Windows Server 2025 actually creates an opening that is both easy to exploit and alarmingly widespread. Rather than limiting the ability to create and manipulate dMSAs to tightly trusted administrative accounts, most environments examined by Akamai had non-admin users or service accounts with the required permissions to exploit the vulnerability.
In their analysis, Akamai reported that “in 91 percent of the environments we examined, we discovered user accounts outside the domain admin group that have the necessary rights to execute the attack.” This suggests an industry-wide configuration drift or a flaw in recommended best practices, amplified by the new dMSA feature’s defaults.
How the Attack Works
Akamai’s technical exposition indicates that the attack focuses on the way Windows Server 2025 handles delegated Managed Service Accounts within Active Directory. At its core, the vulnerability allows any principal (user, group, or computer) with write authorization for any dMSA in any Organizational Unit (OU) to escalate their privileges far beyond their intended scope.What makes the issue particularly severe is that the attack does not require dMSAs to be actively used within a domain. The mere presence of a single Windows Server 2025 instance on a network is sufficient to introduce the vulnerability—regardless of adoption or deployment maturity. Even organizations in the evaluation or pilot stages could be at risk if their permissions are not tightly controlled.
The mechanics are straightforward: if an attacker gains an account within an OU and has permission to create or modify a dMSA, that account can be abused to extend privileges broadly within the domain, potentially taking over other principals and moving laterally across systems and resources.
Industry Impact and Scope
The scale of the vulnerability is difficult to overstate. Microsoft's Active Directory is a cornerstone authentication and authorization service for enterprise ecosystems—it is estimated to be present in over 90% of Global Fortune 1000 companies and countless enterprises worldwide. The introduction of a vulnerability that could, under default configurations, allow privilege escalation from ostensibly lower-privileged accounts represents a significant threat surface.Akamai’s research, which surveyed a broad cross-section of client environments, suggests that the issue is not isolated to obscure or fringe deployments. Rather, a large percentage of organizations—even those with experienced IT teams—have inadvertently left themselves open to this attack by retaining legacy permissions models or by failing to review dMSA-related rights following the introduction of Windows Server 2025.
Microsoft’s Response and the Absence of a Patch
As of now, Microsoft has officially acknowledged the vulnerability and is planning to provide a fix. However, according to Akamai and corroborated by industry reports, no patch has yet been released. This leaves IT managers and system administrators in a precarious position: aware of a critical security vulnerability with no vendor-supplied solution in place.This interim period, where a known and actively publicized vulnerability exists without a corresponding patch, is often the most dangerous. Awareness in the attacker community is high, and exploits could be developed quickly, leaving unprepared organizations exposed.
Practical Recommendations and Mitigations
In the absence of a Microsoft-provided patch, the responsibility for mitigation falls on IT departments. Fortunately, Akamai has developed a set of recommended steps, validated and approved by Microsoft, that can meaningfully reduce the attack surface.1. Audit dMSA Creation Rights
First and foremost, organizations must inventory all principals in the domain—including users, groups, and computers—with the authority to create or modify dMSAs. Akamai has released a PowerShell script that aids in generating this list, surfacing any accounts that have been granted this permission outside standard administrative channels.The output of this script highlights not only which accounts can create dMSAs, but also the specific Organizational Units (OUs) for which they possess this right. This granularity is critical, as permissions may have been delegated for legacy workflows, third-party integrations, or via group policy inheritance in unexpected ways.
2. Limit Permissions to Trusted Administrators
Once the list of authorized principals is established, the next step is to ensure that only a narrow, vetted set of “trusted administrators” retains the right to create or manage dMSAs. This may require coordination with application owners or service account stakeholders to verify business justification before removing permissions. The principle of least privilege should be rigorously enforced.3. Continuous Monitoring and Review
Given that permissions creep is a perennial challenge in large AD environments, continuous monitoring and periodic reviews of dMSA-related rights should become a regular routine. Administrators should automate or schedule the auditing process quarterly or after any significant change windows.4. Await and Prepare for Vendor Guidance
While taking these steps, organizations should stay abreast of official Microsoft communications regarding patches or hotfixes for the “BadSuccessor” flaw. As soon as a fix is made available, rapid testing and deployment should be prioritized, especially in sectors with strict regulatory requirements or high-value targets for attackers.Technical Underpinnings: Understanding dMSAs
To fully appreciate the impact of the vulnerability, it’s helpful to examine the architecture and intended purpose of delegated Managed Service Accounts in Windows Server 2025.Managed Service Accounts Evolution
For years, Microsoft has provided Managed Service Accounts (MSAs) and Group Managed Service Accounts (gMSAs) as a secure way to run services with automatically managed credentials. dMSAs build on these concepts, designed specifically for scenarios where delegated control is necessary—such as granting operational teams the ability to manage application service accounts without exposing full administrative rights.Architectural Shift
The crucial difference with dMSAs lies in how delegation is implemented. Unlike more restrictive account types, dMSAs allow for broader assignment of permissions across Organizational Units or specific service scopes. This flexibility is attractive for large organizations, but, as the “BadSuccessor” finding demonstrates, it introduces a new vector for privilege escalation if not managed with extreme care.Risk Amplified by Default Settings
A key finding by Akamai is that the default configuration of Windows Server 2025 does not adequately restrict the creation and modification of dMSAs. Instead, permissions may be inherited or assigned too liberally through group memberships, resulting in a far larger pool of potentially exploitable accounts than originally intended.Critical Analysis: Strengths, Flaws, and Future Outlook
Strengths of Microsoft’s Approach
- Innovation in Service Account Management: The introduction of dMSAs reflects Microsoft’s continued evolution towards more granular delegation and automation in Active Directory environments. These features, when properly secured, offer significant operational and security benefits over static service accounts, which have been a recurring weak point in many breaches.
- Prompt Vendor Engagement: Following Akamai’s responsible disclosure, Microsoft’s acknowledgment of the issue and approval of interim mitigations are positive steps. This collaborative posture helps ensure that corrective actions are feasible within existing administrative frameworks.
Notable Flaws and Potential Risks
- Dangerous Defaults: Perhaps the most serious criticism is Microsoft’s decision to ship Windows Server 2025 with permissive defaults for dMSAs. This practice, though perhaps rooted in the desire for easier adoption, violates the foundational security principle of “secure by default.” The risk is demonstrated by Akamai’s finding that up to 91 percent of surveyed environments had non-admin users with rights sufficient to exploit the vulnerability.
- Latency of Patch Delivery: The absence of an immediate patch or workaround leaves organizations exposed for an indeterminate period. Given the prevalence of Active Directory and potential lateral movement capabilities, failure to act swiftly could result in widespread compromise.
- Impact on Trust: Widespread vulnerabilities—especially in default configurations from a dominant vendor—erode trust in ecosystem security. This is especially problematic for IT leaders advocating for rapid adoption of the latest Windows Server features to stay current with support and compliance.
Unverified Claims and Cautionary Notes
While Akamai’s technical findings have been reviewed and their mitigation script approved by Microsoft, organizations should exercise due diligence in applying third-party scripts in production environments. Where possible, internal validation and peer review should precede any automated modifications to Active Directory permissions.It is also important to remain cautious of early exploit code or tools circulating in public repositories before official advisories or security updates from Microsoft.
Implications for Security Strategy
The “BadSuccessor” vulnerability serves as a stark reminder that innovation must be balanced with rigorous security review, particularly when changes affect core infrastructure components like Active Directory. Organizations moving to Windows Server 2025—whether for performance improvements, feature adoption, or lifecycle management—must not skip security validation during the migration process.Moreover, the incident highlights several enduring best practices:
- Principle of Least Privilege: Continually audit permissions, especially for new features and account types.
- Agile Incident Response: Maintain playbooks and processes to evaluate, test, and deploy vendor-recommended mitigations.
- Stay Informed: Subscribe to security advisories, vendor communications, and trusted industry analysis to receive early warnings of newly discovered issues.
Broader Lessons for the Industry
Microsoft’s experience with delegated Managed Service Accounts in Windows Server 2025 is emblematic of challenges faced by all major software vendors: balancing innovation with secure operational defaults and managing the communication chain from discovery to disclosure to remediation.For administrators, it is an opportunity to revisit and reinforce the security culture within their organizations. Tools and architectures will continue to evolve, but the basics of rights management, continuous monitoring, and rapid response remain fundamental.
Security is a process, not a product—no system, no matter how mature, is immune to misconfiguration or oversight. The onus remains on every stakeholder to understand, mitigate, and communicate risks as new technologies are adopted.
Conclusion
The “BadSuccessor” vulnerability in Windows Server 2025’s implementation of delegated Managed Service Accounts is a timely cautionary tale for both Microsoft and its vast community of enterprise users. While the new dMSA feature represents a step forward in service account management, it also illustrates the dangers of permissive defaults and the need for attentive, proactive security administration.Until Microsoft delivers an official patch, the best defense is vigilance: auditing dMSA permissions, restricting creation rights to trusted administrators, and keeping a close watch on security advisories. The incident underscores the critical importance of active engagement with industry partners, robust internal processes, and an unwavering commitment to least privilege.
Windows Server 2025 will undoubtedly deliver new capabilities that advance the state of enterprise infrastructure. But the lessons of “BadSuccessor” should inform every deployment, ensuring that innovation and security move hand-in-hand into the next era of Active Directory management.
Source: heise online Windows Server 2025: Rights extension gap in AD
