Yuval Gordon from Akamai has uncovered a critical vulnerability in Windows Server 2025 that allows attackers to exploit delegated Managed Service Accounts (dMSAs) for privilege escalation, potentially compromising any Active Directory (AD) user in the domain. This flaw leverages the inherent migration process of dMSAs, an otherwise well-intentioned feature designed to simplify service account transitions. However, as revealed in the research, this feature contains vulnerabilities that allow for full domain compromise with minimal effort.
What are dMSAs?
Managed Service Accounts (MSAs) were introduced in previous Windows Server versions to simplify service account management by allowing automatic password management for services. With Windows Server 2025, the dMSA (delegated Managed Service Account) was introduced as an enhanced version of MSAs, enabling the migration of non-managed service accounts to dMSAs. A key feature of dMSAs is their ability to inherit permissions from the accounts they replace, making it easy to migrate services without interrupting existing workflows.
However, Gordon’s research into the migration flow of dMSAs revealed that the migration process inadvertently opens a backdoor for attackers to elevate their privileges. The key lies in the msDS-ManagedAccountPrecededByLink attribute, which determines the “successor” account in a migration. By manipulating this link, attackers can simulate a migration and inherit the permissions of any user in the domain, including high-privilege accounts like domain admins, without the need for direct changes to group memberships or explicit escalation methods.
The Attack in Detail
To exploit the dMSA migration process, attackers need minimal access. A simple write permission on the dMSA object is enough to link a target user account to a new dMSA. Once this link is established, the attacker can authenticate as the dMSA and inherit all of the target account’s permissions, including access to sensitive domain resources. This process works because the domain controller trusts the link between the old service account and the new dMSA, thus granting the attacker full access to any services and systems the original account could access.
The attack, dubbed “BadSuccessor” by Gordon, can be performed without any need for direct interaction with the target account. Even accounts marked as high-privileged—such as Domain Admins—are vulnerable to this abuse. Through this attack, an attacker can gain full control of a domain by simply creating a dMSA, performing the simulated migration, and gaining administrative access.
Exploiting dMSAs: From Low Privileges to Domain Domination
This vulnerability does not require an attacker to compromise a high-privilege account first. Instead, it allows attackers to escalate their privileges from a low-level user to an administrator by leveraging dMSA permissions. This ability to simulate the migration process of service accounts opens up a wide range of attack vectors, allowing cybercriminals to bypass traditional security measures and gain full control of the Active Directory domain.
One of the most insidious aspects of this vulnerability is its stealth. The attack does not require any traditional privilege escalation methods, such as modifying group memberships or escalating access through well-known tools. Instead, it exploits the inherent trust between service accounts and their associated dMSAs, using an almost invisible process to escalate privileges. As a result, many organizations may not even be aware of the abuse until it’s too late.
Impact on Organizations
Given that a majority of organizations rely on Active Directory for managing permissions and access across their IT infrastructure, this vulnerability poses a significant risk. In many environments, users outside of privileged groups are granted the ability to create or modify dMSAs. This misconfiguration can allow low-privilege attackers to hijack any account in the domain. This vulnerability, though related to the new dMSA functionality in Windows Server 2025, is likely to impact a wide range of organizations—especially those that have adopted the latest Windows Server version without fully understanding the implications of dMSA permissions.
What do Organizations Need to Know?
Until Microsoft provides an official patch, organizations should take proactive measures to detect and mitigate the risks posed by the dMSA privilege escalation vulnerability. Our recommendations include:
- Monitor dMSA Creation: Configure Security Access Control Lists (SACLs) to log the creation of new dMSA objects (Event ID 5137). Pay attention to any unauthorized user accounts attempting to create dMSAs.
- Track Attribute Modifications: Set up SACLs to track modifications to the
msDS-ManagedAccountPrecededByLinkattribute (Event ID 5136), as changes to this attribute signal potential abuse. - Inspect Authentication Logs: Event ID 2946 should be closely monitored for suspicious dMSA authentication attempts. These logs indicate when a dMSA is being used to authenticate with the domain controller.
- Review Permissions on Organizational Units: It’s important to review permissions on OUs and containers where dMSAs are created. Excessive permissions, such as the ability to create child objects, should be restricted to trusted administrators only.
Microsoft’s Digital Crimes Unit (DCU) is currently working on a patch, and further guidance will be issued once the technical details are available.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
