Detections
Analytics

BadSuccessor Dangerous dMSA Permissions

critical

Language:

Description

BadSuccessor is a privilege escalation vulnerability in Active Directory, introduced with the delegated Managed Service Accounts (dMSAs) feature in Windows Server 2025. It allows attackers to create or modify a dMSA to inherit the permissions of a high-privilege target, potentially leading to full domain compromise. Exploitation requires at least one Windows Server 2025 domain controller in the domain.

Solution

Microsoft patched the BadSuccessor vulnerability as CVE-2025-53779. However, because the technique can still be used for persistence or lateral movement on patched systems, organizations should apply the patch and restrict dMSA creation and modification permissions to trusted users.

See Also

BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

BadSuccessor Is Dead, Long Live BadSuccessor(?)

Delegated Managed Service Accounts overview

Indicator Details

Name: BadSuccessor Dangerous dMSA Permissions

Codename: C-BAD-SUCCESSOR

Severity: Critical

Type: Active Directory Indicator of Exposure

Family: Access Control and Permissions

MITRE ATT&CK Information:

Attacker Known Tools

mpgn: NetExec

Logan Goins: SharpSuccessor