Windows Server 2025, the much-anticipated evolution of Microsoft’s venerable server operating system, now finds itself at the center of an alarming security controversy. The emergence of a proof-of-concept (PoC) tool dubbed SharpSuccessor has illuminated the risks associated with a newly discovered vulnerability—BadSuccessor—buried within the delegated Managed Service Account (dMSA) architecture. This flaw, if exploited, could unravel the security fabric of Active Directory environments across the globe, drawing urgent attention from cybersecurity professionals and enterprise IT administrators alike.
At the core of this threat is a subtle but devastating oversight in the design of dMSAs. Delegated Managed Service Accounts were designed as a highly specific security mechanism, enabling organizations to assign service accounts to applications without relying on persistent, manually-managed credentials. However, security researcher Yuval Gordon, working for Akamai, unearthed the BadSuccessor bug—an architectural snafu that, in essence, allows attackers to escalate privileges by manipulating Active Directory attributes tied to dMSA migration.
Specifically, the vulnerability leverages the manipulation of two critical AD attributes:
What sets BadSuccessor apart from more “traditional” privilege escalation bugs? The low bar for exploitation. Whereas most domain escalation requires privileged access, this vector can be triggered by attackers armed with only CreateChild rights over any Organizational Unit (OU). This is a seismic shift, since such permissions are routinely delegated to help desk staff or automation scripts, and are rarely treated with the scrutiny reserved for domain-level privileges.
According to recent research, a staggering 91% of assessed Active Directory environments contain non-administrative users with enough delegated rights to perform the BadSuccessor attack. This fact alone suggests a vast swath of the enterprise landscape is at risk, even if dMSAs are not in active use. As long as there is at least one Windows Server 2025 domain controller in the domain, the attack can proceed.
Moreover, the automation provided by SharpSuccessor dramatically lowers the skill required to execute such an attack. Previously, similar privilege escalations demanded fluency in intricate AD internals. With SharpSuccessor, the tactic becomes plug-and-play—the script kiddie barrier has been obliterated.
Because the attack does not require direct modification or control over existing privileged accounts—instead, leveraging innocuous-looking dMSA creation—the attack path neatly sidesteps many traditional defenses. Privileged Access Management (PAM), multi-factor authentication (MFA), and routine audit trails may have limited utility in detecting or stopping this attack vector, especially during the initial exploitation stage.
As of publication, Microsoft has not released a patch or hotfix for Windows Server 2025 addressing BadSuccessor, instead recommending customers restrict dMSA creation rights and audit delegated OU permissions as a compensating control. This leaves administrators with a pressing need to identify and remediate insecure Active Directory delegation—a complex and error-prone task in large or legacy environments.
Industry experts have voiced sharp criticism of this risk posture. Privilege escalation flaws that can be weaponized by low-privilege accounts are, historically, prime candidates for urgent remediation. The fact that a working PoC is publicly available, paired with the ease of exploitation, arguably mandates a more decisive response.
In the current environment, IT professionals and security architects must treat delegated OU rights with the same level of scrutiny as full administrative access. This elevates the need for advanced permissions auditing, automated monitoring, and instant incident response playbooks capable of rapidly disabling suspicious dMSAs and reviewing Kerberos-related events at scale.
As ever, the Windows security community’s vigilance is the first and last line of defense. By staying informed, critically evaluating risk, and advocating for timely vendor remediation, defenders can turn today’s weakness into tomorrow’s strength.
While the exploit’s technical details will continue to evolve, the fundamental lesson endures: in cybersecurity, convenience and legacy practices are fertile ground for the next great exploit. The time to reassess your Active Directory delegation is now.
Source: CybersecurityNews SharpSuccessor - A PoC For Exploiting Windows Server 2025's BadSuccessor Vulnerability
A Deep Dive into the BadSuccessor Vulnerability
At the core of this threat is a subtle but devastating oversight in the design of dMSAs. Delegated Managed Service Accounts were designed as a highly specific security mechanism, enabling organizations to assign service accounts to applications without relying on persistent, manually-managed credentials. However, security researcher Yuval Gordon, working for Akamai, unearthed the BadSuccessor bug—an architectural snafu that, in essence, allows attackers to escalate privileges by manipulating Active Directory attributes tied to dMSA migration.Specifically, the vulnerability leverages the manipulation of two critical AD attributes:
msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState. By corrupting these fields, an attacker can craft a rogue dMSA, establish a “successor” relationship, and trick the domain into granting access rights tantamount to those of a highly privileged target—even Domain Admins.What sets BadSuccessor apart from more “traditional” privilege escalation bugs? The low bar for exploitation. Whereas most domain escalation requires privileged access, this vector can be triggered by attackers armed with only CreateChild rights over any Organizational Unit (OU). This is a seismic shift, since such permissions are routinely delegated to help desk staff or automation scripts, and are rarely treated with the scrutiny reserved for domain-level privileges.
How Does the Attack Work?
The attack flow, codified and automated in the open-source SharpSuccessor utility, unfolds in several distinct stages:- Weaponized dMSA Creation: Armed with CreateChild permissions, the attacker forges a dMSA using a simple command such as:
SharpSuccessor.exe add /impersonate:Administrator /path:”ou=test,dc=lab,dc=lan” /account:jdoe /name:attacker_dMSA
This results in the creation of a dMSA that effectively impersonates the privileges of a chosen account, including enterprise-critical roles such as Administrator. - Kerberos TGT Delegation: After the weaponized dMSA is live, attackers turn to Rubeus—a popular AD post-exploitation toolkit—to obtain a Ticket Granting Ticket (TGT):
Rubeus.exe tgtdeleg /nowrap
This crucial Kerberos ticket acts as the gateway to further privilege escalation. - TGS Exploitation for Privilege Escalation: With a valid TGT in hand, attackers leverage another Rubeus command to request a service ticket for the newly created dMSA:
Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/lab.lan /opsec /dmsa /nowrap /ptt /ticket:[base64_ticket]
The newly minted ticket inherits the privileges of the targeted user—giving the attacker unprecedented control over protected resources. - Post-Exploitation Access: The attacker can then access core resources on the network, such as administrative shares, by acquiring additional Kerberos tickets specific to domain controllers:
Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/[DC_FQDN] /opsec /dmsa /nowrap /ptt
This grants SMB-level access to domain controllers—the holy grail for any adversary seeking complete dominance in an enterprise environment.
Why This Threat Matters—And Why It’s Hard to Defend Against
The BadSuccessor vulnerability is uniquely dangerous because it exploits common permission models—this isn’t just an esoteric flaw lurking in obscure edge cases but rather a fundamental weakness that spans thousands of production domains.According to recent research, a staggering 91% of assessed Active Directory environments contain non-administrative users with enough delegated rights to perform the BadSuccessor attack. This fact alone suggests a vast swath of the enterprise landscape is at risk, even if dMSAs are not in active use. As long as there is at least one Windows Server 2025 domain controller in the domain, the attack can proceed.
Moreover, the automation provided by SharpSuccessor dramatically lowers the skill required to execute such an attack. Previously, similar privilege escalations demanded fluency in intricate AD internals. With SharpSuccessor, the tactic becomes plug-and-play—the script kiddie barrier has been obliterated.
A Closer Look: The Technical Prerequisites
Many organizations could mistakenly assume their traditional least-privilege models would shield them. However, the Achilles’ heel is Active Directory’s reliance on delegated permissions for operational efficiency. Permissions like CreateChild or WriteProperty on an OU are routinely granted to allow for common tasks—provisioning user accounts, managing service accounts, and automating resource allocation.Because the attack does not require direct modification or control over existing privileged accounts—instead, leveraging innocuous-looking dMSA creation—the attack path neatly sidesteps many traditional defenses. Privileged Access Management (PAM), multi-factor authentication (MFA), and routine audit trails may have limited utility in detecting or stopping this attack vector, especially during the initial exploitation stage.
Microsoft’s Response—And Why It Raises Eyebrows
Microsoft has acknowledged the BadSuccessor vulnerability. However, its official classification of the bug as “moderate severity” has left many enterprise security teams deeply concerned. The rationale appears to rest on the assumption that delegated OU permissions should be tightly controlled—a position that, while valid in theory, collides badly with real-world Active Directory practices.As of publication, Microsoft has not released a patch or hotfix for Windows Server 2025 addressing BadSuccessor, instead recommending customers restrict dMSA creation rights and audit delegated OU permissions as a compensating control. This leaves administrators with a pressing need to identify and remediate insecure Active Directory delegation—a complex and error-prone task in large or legacy environments.
Industry experts have voiced sharp criticism of this risk posture. Privilege escalation flaws that can be weaponized by low-privilege accounts are, historically, prime candidates for urgent remediation. The fact that a working PoC is publicly available, paired with the ease of exploitation, arguably mandates a more decisive response.
Countermeasures and Detection
Mitigation guidance centers around auditing and restricting delegated permissions:- Run Akamai’s Get-BadSuccessorOUPermissions.ps script to enumerate OUs where non-administrative users possess CreateChild or WriteProperty rights. This detection script helps identify high-risk targets before attackers do.
- Tightly control and periodically review dMSA creation and delegation rights. Limit these permissions to a small, trusted group of Active Directory administrators.
- Monitor for unusual dMSA creation events and Kerberos ticket activity, especially ticket requests involving previously unseen dMSA names.
Analyzing the Broader Security Implications
The release of SharpSuccessor is a watershed moment not only for Windows Server 2025 security but for the evolution of privilege escalation techniques in the corporate IT landscape.Strengths and Innovations
- Automation of Complex Attacks: The tool transforms nuanced, technically demanding AD attacks into a sequence of repeatable steps, opening the door to wider abuse but also facilitating red team exercises and awareness.
- Awareness-Raising: By spotlighting architectural weaknesses in AD delegation models, SharpSuccessor can serve as a forcing function for enterprises to conduct long-overdue audits and permission reviews.
- Proof That Attack Vectors Evolve: Even as defenders grow more fluent in tackling pass-the-hash, relay, or Golden Ticket attacks, novel approaches like BadSuccessor demonstrate that attackers are broadening their focus to less-protected surface areas.
Risks and Unresolved Challenges
- Wide-Scale Exposure: Since the attack exploits commonplace OU permissions, it is likely to be broadly effective, bypassing standard privilege separation paradigms.
- Delayed Vendor Remediation: Microsoft’s decision to delay a patch leaves a significant window of exposure, during which both nation-state actors and cybercriminals may develop and improve upon the technique.
- Potential for Insider Abuse: Not all threats are external, and this vector could well be exploited by disaffected insiders or third-party service contractors granted routine OU permissions.
- Attack Attribution Difficulty: The approach’s reliance on built-in AD functions and normal Kerberos flows complicates post-incident forensics, making it harder to distinguish legitimate administrative activities from malicious privilege escalations.
Critical Perspective: Are We Moving Fast Enough?
As organizations accelerate their rollouts of Windows Server 2025—drawn by its improved scalability, security baselines, and hybrid cloud features—there is a temptation to trust that new defaults mean improved security by design. BadSuccessor is a sobering reminder that attacker innovation often moves more quickly than defender adaptation.In the current environment, IT professionals and security architects must treat delegated OU rights with the same level of scrutiny as full administrative access. This elevates the need for advanced permissions auditing, automated monitoring, and instant incident response playbooks capable of rapidly disabling suspicious dMSAs and reviewing Kerberos-related events at scale.
What About Third-Party Defenses?
Active Directory visibility and privilege management tools—such as those from Semperis, Quest, Stealthbits, and others—may provide additional layers of auditing and alerting. However, the unique combination of dMSA manipulation and Kerberos chaining requires targeted detection logic that many solutions may not offer out-of-the-box. Security teams should verify with their vendors regarding specific coverage for BadSuccessor-like anomalies and, where necessary, develop bespoke detection scripts and metrics.Looking Forward: Recommendations for the Windows Security Community
Until a formal Microsoft patch is issued, the onus is on organizations to take meaningful, proactive steps to safeguard their Windows Server 2025 environments. Key recommendations include:- Conduct Immediate AD Permissions Audits: Regularly scan for users and groups with delegated rights over OUs, focusing on CreateChild, WriteProperty, and similar permissions.
- Implement Tiered Administrative Models: Ensure that privileged operations (such as dMSA creation) can only be performed from hardened, isolated workstations—never from endpoints accessible to everyday staff.
- Deploy Real-Time AD Change Detection: Invest in solutions that can alert on the creation of new dMSA objects or changes to dMSA-related attributes, in near real-time.
- Engage in Threat Emulation: Use tools like SharpSuccessor in controlled environments to test defenses, raise internal awareness, and drive security improvements. This “assume breach” mentality is crucial to staying ahead of attackers.
- Collaborate and Share Intelligence: Participate in peer-to-peer forums (such as WindowsForum.com) to share indicators of compromise, novel detection methods, and remediation workflows.
The Takeaway: Trust, But Verify
The BadSuccessor flaw and the proliferation of tools like SharpSuccessor signal a need for a strategic reset in how organizations approach Active Directory delegation. The assumption that routine permissions are low risk has been upended. Moving forward, a culture of continuous verification—supported by automated auditing, granular role-based access controls, and defensible inheritance chains—will be key to maintaining trust in domain security.As ever, the Windows security community’s vigilance is the first and last line of defense. By staying informed, critically evaluating risk, and advocating for timely vendor remediation, defenders can turn today’s weakness into tomorrow’s strength.
While the exploit’s technical details will continue to evolve, the fundamental lesson endures: in cybersecurity, convenience and legacy practices are fertile ground for the next great exploit. The time to reassess your Active Directory delegation is now.
Source: CybersecurityNews SharpSuccessor - A PoC For Exploiting Windows Server 2025's BadSuccessor Vulnerability
