BadSuccessor Vulnerability: Critical Privilege Escalation in Windows Server 2025

Listen to this Post

Featured Image
🛑 BadSuccessor is the newly discovered vulnerability shaking Microsoft’s ecosystem, enabling critical privilege escalation on Windows Server 2025. This flaw allows total domain compromise under default configurations. While Windows Server 2025 isn’t widely deployed yet, the potential impact is severe.

🔎 The Exploit:

The vulnerability exploits delegated Managed Service Accounts (dMSA), a new feature in Windows Server 2025. An attacker can create a dMSA object and “succeed” any Active Directory (AD) user—inheriting their permissions.

You Should Know:

  • NTLM hashes & Kerberos keys (including krbtgt) can be stolen.
  • Attackers gain full user rights without triggering standard detection (no DC code execution, no `ntds.dit` modification, no RPC requests).
  • Microsoft has acknowledged the issue and is working on a patch, but fixing delegation logic in AD is complex.

Exploitation & Mitigation Steps

1. Verify Vulnerability Exposure

Check if your system is vulnerable:

Get-WindowsFeature -Name "RSAT-AD-PowerShell" | Install-WindowsFeature
Import-Module ActiveDirectory
Get-ADOptionalFeature -Filter  | Where-Object Name -like "dMSA"
  1. Test with Proof of Concept (PoC) Scripts

3. Immediate Mitigations

  • Disable dMSA feature (if not needed):
    Disable-ADOptionalFeature -Identity "dMSA Feature" -Confirm:$false
    
  • Monitor AD Object Creation:
    Get-WinEvent -LogName "Security" -FilterXPath "[EventData[Data[@Name='ObjectClass']='msDS-ManagedServiceAccount']]"
    

4. Kerberos Hardening (Prevent Hash Extraction)

  • Enforce AES Encryption (disable RC4):
    Set-ADAccountControl -Identity "krbtgt" -KerberosEncryptionType "AES256"
    
  • Enable Audit Logging:
    auditpol /set /subcategory:"Account Management" /success:enable /failure:enable
    

What Undercode Say

This vulnerability highlights critical risks in AD delegation logic. Even with patches, organizations must:
– Audit AD object changes
– Restrict dMSA permissions
– Assume breach—monitor for unusual Kerberos/NTLM activity

Prediction

Microsoft will likely disable dMSA by default in future updates. However, legacy systems may remain exposed, leading to increased AD attacks in 2025.

Expected Output:

 Check for dMSA-related events in Security logs 
Get-WinEvent -LogName "Security" | Where-Object { $<em>.Id -eq 5136 -and $</em>.Message -like "msDS-ManagedServiceAccount" } 

For deeper analysis, refer to the technical breakdown. Stay patched! 🚨

References:

Reported By: Kondah Badsuccessor – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram