Active Directory users could be compromised with the new BadSuccessor attack technique, which involves the exploitation of a privilege escalation vulnerability within Windows Server 2025's delegated Managed Service Account feature that was made to allow legacy service account migrations while preventing Kerberoasting intrusions, reports The Hacker News.
With dMSA security identifiers and other superseded service accounts' SIDs included in the ticket-granting ticket during the dMSA Kerberos authentication step, transitioning permissions to newer accounts could facilitate elevated privileges that could eventually lead to total domain compromise, according to an analysis from Proofpoint. "This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an [organizational unit] to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks," said Akamai security researcher Yuval Gordon. Microsoft is already working on a fix after initially deprioritizing the issue, which it said required certain dMSA object permissions to be successful.
With dMSA security identifiers and other superseded service accounts' SIDs included in the ticket-granting ticket during the dMSA Kerberos authentication step, transitioning permissions to newer accounts could facilitate elevated privileges that could eventually lead to total domain compromise, according to an analysis from Proofpoint. "This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an [organizational unit] to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks," said Akamai security researcher Yuval Gordon. Microsoft is already working on a fix after initially deprioritizing the issue, which it said required certain dMSA object permissions to be successful.
