BadSuccessor Dangerous dMSA Permissions

critical

Description

BadSuccessor is a privilege escalation vulnerability in Active Directory, introduced with the delegated Managed Service Accounts (dMSAs) feature in Windows Server 2025. It allows attackers to create or modify a dMSA to inherit the permissions of a high-privilege target, potentially leading to full domain compromise. Exploitation requires at least one Windows Server 2025 domain controller in the domain.

Solution

Microsoft did not patch the BadSuccessor vulnerability as of May 2025 but worked on a fix. Meanwhile, organizations should restrict dMSA creation and modification permissions to trusted users or consider demoting Windows Server 2025 domain controllers as a temporary workaround.

See Also

BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

Delegated Managed Service Accounts overview

Indicator Details

Name: BadSuccessor Dangerous dMSA Permissions

Codename: C-BAD-SUCCESSOR

Severity: Critical

Type: Active Directory Indicator of Exposure

MITRE ATT&CK Information:

Attacker Known Tools

mpgn: NetExec

Logan Goins: SharpSuccessor