A new security flaw in Windows Server 2025 is drawing sharp criticism after Akamai disclosed full exploitation details—despite Microsoft’s refusal to issue an immediate patch. Dubbed “BadSuccessor,” the vulnerability allows unprivileged users to escalate privileges and compromise Active Directory environments, raising alarm bells among enterprise defenders.
The flaw stems from the newly introduced delegated Managed Service Accounts (dMSAs), a replacement for traditional service accounts. Akamai researcher Yuval Gordon discovered that these dMSAs inherit the privileges of their predecessors, creating a stealthy but powerful abuse path.
In his blog post, Gordon showed how just two minor attribute changes can grant a new account full access—without altering group memberships, modifying privileged accounts, or triggering standard escalation alerts. This “invisible heir” scenario, as Gordon puts it, tricks domain controllers into granting elevated access purely based on inheritance links.
Akamai’s telemetry review revealed that 91% of environments already have at least one non-admin user with the Create-Child permission in an organizational unit. That’s all an attacker needs to weaponize this flaw and forge a dMSA with elevated privileges.
Microsoft, however, assessed the bug as a “moderate” issue, noting that exploitation requires elevated permissions. The company has no plans to issue a patch immediately, a stance that Akamai sharply disagreed with. Gordon argues that Microsoft’s risk assessment underestimates the attack surface—especially since dMSA support is enabled by default on all Windows Server 2025 domain controllers.
“Any organization adding a Server 2025 domain controller inherits the risk automatically,” Gordon noted, underscoring the danger posed by default configurations and overlooked permissions.
The decision to publicly disclose the vulnerability before a patch reignited the responsible disclosure debate. Some researchers criticized the move, warning it could lead to widespread abuse. Others, however, backed Akamai, pointing to Microsoft’s track record of downplaying or delaying fixes for critical issues.
In the meantime, Akamai has released a suite of defensive tools, including detection queries, logging tips, and a script to identify users with dMSA creation rights. Gordon stressed the urgency: industry tools don’t currently flag Create-Child access for dMSAs as a critical threat—leaving organizations blind to a potentially severe attack vector.
The message from Akamai is clear: this flaw may not look serious on paper, but in the real world of Active Directory security, it opens the door to attacks reminiscent of DCSync—the same technique used in some of the most devastating breaches to date.
