New Windows Server 2025 Attack Compromises Any Active Directory User

New Windows Server 2025 vulnerability confirmed.
Although you are far more likely to read about vulnerabilities impacting the Windows operating system, including those that have long since reached end-of-support status such as Windows 7, this doesn't mean that Windows Server users are not in the crosshairs of threat actors. Far from it, and not just legacy versions either, as security researchers reveal a new, and trivial to implement, Windows Server 2025 vulnerability that could compromise any Active Directory user. Here's what you need to know.
Privilege escalation vulnerabilities are among the worst you can be faced with, as, rather obviously, they enable a successful attacker to do way more than they should be able to given the lack of permissions they started with. Yuval Gordon, a senior security researcher at Akamai Technologies, has exclusively shared details of a particularly concerning privilege escalation vulnerability impacting Windows Server 2025. Not only because, as Gordon explained, it allows an attacker to 'compromise any user in Active Directory,' but also as it 'works with the default configuration, and is trivial to implement.' If you thought things couldn't get any worse, you'd be wrong: no patch is currently available.
Akamai has named the vulnerability and associated exploit as BadSuccessor, and confirmed that it abuses the delegated Managed Service Account feature introduced with Windows Server 2025. 'In 91% of the environments we examined,' Gordon said, 'we found users outside the domain admins group that had the required permissions to perform this attack.' BadSuccessor might be trivial to implement, but the consequences of a successful attack are far from the same.
Full attack flow, showing all steps needed to have a BadSuccessor.
A key feature of dMSA is the ability to migrate existing and non-managed service accounts by seamlessly converting them into dMSAs, and it's this that is the issue. 'By abusing dMSAs, attackers can take over any principal in the domain,' Gordon said. All an attacker needs to be able to exploit the BadSuccessor vulnerability is a seemingly benign permission on any organizational unit in the domain. Here's the real killer though: as long as you have one Windows Server 2025 domain controller, your domain doesn't even need to be using dMSAs at all, the exploit will work anyway.
I would advise every Windows Server administrator to read the full report in its entirety, and as a matter of some urgency. In the meantime, I spoke with Yuval Gordon who reiterated that BadSuccessor is not only 'so dangerous because the attack is so simple,' but added that Akamai researchers were 'surprised that we were first to discover it.' The only good news, such as it is, would be that there is no evidence to conclusively show that BadSuccessor has been exploited by attackers in the wild at this point, but given that 'most organisations aren't currently monitoring the relevant events,' Gordon said it's hard to say for certain .
Gordon recommended that organizations and admins need to identify which users have the specific permissions that make this attack possible, and, having done so, review and remove unnecessary permissions. 'We're releasing a PowerShell script alongside the blog post to help with that,' Gordon told me, so that would be a good starting point. 'It highlights exactly which users have risky access so defenders know where to focus,' Gordon concluded.
I reached out to Microsoft for a statement, and a spokesman said: 'We appreciate Akamai for identifying and responsibly reporting this issue. After careful investigation, this case was rated as a Moderate severity that does not meet our bar for immediate servicing, as the technique requires elevated user permissions to be successful. We will look to address this issue in a future update.'
Microsoft also said that for BadSuccessor to be successful, an attacker would require access to the msds-groupMSAMembership attribute of the dMSA. This attribute allows the user to utilize the dMSA.msds-ManagedAccountPrecededByLink. The attacker needs write access to this attribute, which allows them to specify a user, such as an administrator, that the dMSA can act on behalf of.
All users of Windows Server 2025 are advised to take action and protect against the threat until Microsoft issues a fix.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Gizmodo

32 minutes ago

• Gizmodo

This Air Purifier for Large Rooms Is 75% Off, Amazon Clears Stock and Adds an Extra Coupon

You need an air purifier in large cities where pollution and allergens can affect your health. The best thing about air purifiers nowadays is that they do not take up much space and are silent, yet they make a huge difference in the air quality and health of your home. This particular model is especially effective because it covers a large area (up to 1400 square feet) which is something that cheaper models under $100 usually cannot handle. This air purifier for large rooms is currently being offered on Amazon at an all-time low price of $89, and there is a 15% coupon that brings the price down even more to just $76. It's not every day you can pick up such a high-performance device for a quarter of its regular $299 price. See at Amazon The air purifier has a smart WiFi air quality sensor that uses an onboard PM2.5 sensor to provide real-time air quality feedback. Instead of guessing how clean your air is, you can see the exact level through a color-coded display that changes from green to red depending on pollution levels. With the declining air quality, the purifier automatically speeds up its fan to further purify the air. The filtration system of the air purifier is designed to be highly effective: It uses a 3-stage advanced filter that captures a wide range of airborne particles such as dust, smoke, pollen, pet dander, and unpleasant odors. This thorough filtration process refreshes the air in spaces as large as 1400 square feet every 30 minutes which makes it ideal for bedrooms and living rooms where clean air is a priority. You will also love the user-friendly control panel with three manual fan speeds and an auto mode that adjusts according to the fluctuating air quality. The air purifier also has a child lock feature to avoid accidental resetting which is convenient in households with children or pets. These design considerations provide ease of tailoring your air purification to your needs while prioritizing safety and peace of mind. With the current coupon and clearance from Amazon, this is one of the best times to spend money on a good air purifier. See at Amazon

CNET

35 minutes ago

• CNET

Upgrade Your Home Security With Up to 62% Off Some of Our Absolute Favorite Arlo Security Cameras

Home security cameras are so versatile these days. From keeping an eye on pets or kids to deterring package theft and protecting your home while you're sleeping or away, there are plenty of reasons for you to invest in some cameras for your space. Right now Woot is making it even easier to get your hands on some for cheap, marking down a number of Arlo security cameras by up to 62%. Prices start at just $67. If you're looking for outside security there are a few options, but one of the best deals in this sale is the Arlo Ultra 2 Spotlight camera bundle. The cameras have 4K HDR, a 180-degree field of view, great smart home support and local storage. It's our pick for the best wireless 4K home security camera of 2025. Our biggest gripe was the price, but this deal alleviates that worry. Along with two cameras, you'll also get a SmartHub, a power adapter, two rechargeable batteries, two ethernet cables and mounting kits. This bundle would normally run you $600, but a nice 50% discount slashes that price in half so that you'll pay only $300 if you act fast. For something with a dual function, try the Arlo Pro 3 Floodlight security camera. It has a motion-activated floodlight that can reach up to 3,000 lumens, which is great for when you get home late at night. But it will also ensure anyone in your driveway is illuminated and recorded just in case they're up to something nefarious. The camera itself has 2K resolution, color night vision and two-way audio. It's also one of our favorite options for security cameras with floodlights for 2025 and won our Editors' Choice award. Regularly priced at $250, you can get yours for just $120 at Woot. Hey, did you know? CNET Deals texts are free, easy and save you money. For indoor coverage, grab yourself a 2-pack of 2nd-gen Arlo Essential security cameras for $67. These indoor cameras are currently our pick for the best overall nanny cam of 2025 thanks to its 2K resolution, solid two-way audio, clear night vision and zoom capabilities. There are some other choices available as well, so be sure to shop the entire sale selection to grab exactly what you need for your home. And don't forget -- Prime members get free shipping, too. Just be sure to log in with Amazon before placing your order. Why this deal matters There are a ton of great options in this sale, including some of our top picks of 2025. If you've been considering getting a home security camera (or several), now is the time. It's rare to see so many discounts saving you half the cost -- or more -- and we are fairly certain these offers will sell out quick. Lock in your order soon to avoid disappointment.

Bloomberg

36 minutes ago

• Bloomberg

Tesla Robotaxi Videos Show Speeding, Driving Into Wrong Lane

Tesla Inc. 's self-driving taxis appeared to violate traffic laws during the company's first day offering paid rides, with one customer capturing footage of a left turn gone wrong and others traveling in cars that exceeded posted speed limits. In a video taken by Rob Maurer, an investor who used to host a Tesla podcast, the Model Y he's riding in enters an Austin intersection in a left-turn-only lane. The Tesla hesitates to make the turn, swerves right and proceeds into an unoccupied lane meant for traffic moving in the opposite direction.