BadSuccessor is a privilege escalation vulnerability in Active Directory, introduced with the delegated Managed Service Accounts (dMSAs) feature in Windows Server 2025. It allows attackers to create or modify a dMSA to inherit the permissions of a high-privilege target, potentially leading to full domain compromise. Exploitation requires at least one Windows Server 2025 domain controller in the domain.
Microsoft did not patch the BadSuccessor vulnerability as of May 2025 but worked on a fix. Meanwhile, organizations should restrict dMSA creation and modification permissions to trusted users or consider demoting Windows Server 2025 domain controllers as a temporary workaround.
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
Name: BadSuccessor Dangerous dMSA Permissions
Codename: C-BAD-SUCCESSOR
Severity: Critical
Type: Active Directory Indicator of Exposure
mpgn: NetExec
Logan Goins: SharpSuccessor