Latest news with #WindowsServer2025
Techday NZ
10-06-2025
- Business
- Techday NZ
Semperis adds detection for BadSuccessor flaw in Windows 2025
Cybersecurity firm Semperis has introduced new detection capabilities in its Directory Services Protector (DSP) platform, aiming to protect organisations against "BadSuccessor" — a newly disclosed privilege escalation technique in Windows Server 2025 that currently has no available patch. The BadSuccessor flaw, revealed by researchers at Akamai, targets delegated Managed Service Accounts (dMSAs), a new Windows Server 2025 feature designed to enhance the security of service accounts. Instead, the researchers demonstrated how the feature can be exploited to impersonate highly privileged users in Active Directory, such as Domain Admins, without needing additional credentials or triggering alerts. In direct response to Akamai's findings, Semperis worked with the researchers to develop and deploy new detection indicators within its DSP platform. The enhancements include one new Indicator of Exposure (IOE) and three Indicators of Compromise (IOCs), designed to help organisations identify early signs of potential abuse. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact," said Yuval Gordon, Security Researcher at Akamai. The detection indicators are focused on revealing abnormal behaviour around dMSAs, including excessive delegation rights, suspicious links between dMSAs and privileged accounts, and attempts to target sensitive credentials like the KRBTGT account. According to Semperis, this can give security teams a vital head start in identifying attacks before they can escalate. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments," said Tomer Nahum, Security Researcher at Semperis. "This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit." The vulnerability has broad implications. Any organisation operating at least one domain controller (DC) running Windows Server 2025 may be at risk. According to Semperis, even a single misconfigured DC using dMSAs could expose the entire Active Directory environment to compromise. As there is currently no fix for the vulnerability, Semperis is urging organisations to take immediate steps to protect their environments. These include auditing dMSA configurations, reviewing delegation permissions, and employing detection tools such as the updated DSP platform. The new detection features aim to support defenders in closing a critical visibility gap. Service accounts, such as dMSAs, often run with elevated privileges but remain unmonitored or poorly managed in many enterprise environments. This lack of oversight creates a potential blind spot for attackers to exploit — a challenge the BadSuccessor technique highlights sharply. Semperis stated that the DSP update is available now and is intended to offer a stopgap solution for organisations as they await official mitigation from Microsoft. The case also serves as a reminder of the growing complexity of managing hybrid identity environments. With attackers increasingly targeting infrastructure such as Active Directory, new features — however well-intentioned — can quickly become unexpected attack vectors. Gordon added, "The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call." Until a patch is released, security teams are advised to remain vigilant and proactive. By monitoring dMSA activity and understanding their configuration risks, organisations can reduce their exposure to what could otherwise be a silent but highly impactful method of privilege escalation.
Techday NZ
09-06-2025
- Business
- Techday NZ
Semperis adds detection for dMSA attacks in Windows Server
Semperis has announced new detection capabilities in its Directory Services Protector platform in collaboration with Akamai to address the "BadSuccessor" privilege escalation technique in Windows Server 2025. BadSuccessor targets a new Windows Server 2025 feature called delegated Managed Service Accounts (dMSAs), which was designed to improve service account security. Researchers at Akamai have shown that attackers can exploit dMSAs to impersonate highly privileged users, such as Domain Admins, within Active Directory. At present, there is no patch available to address this vulnerability. Service accounts, including dMSAs, often operate with extensive or unmonitored privileges, creating potential security risks for enterprises. The exploitation method uncovered by Akamai highlights ongoing challenges in securing service accounts and preventing unexpected attack vectors within large organisations. In response, Semperis has updated its Directory Services Protector platform to include one new Indicator of Exposure and three Indicators of Compromise aimed at detecting abnormal dMSA activity. These enhancements will enable security teams to identify excessive delegation rights, malicious connections between dMSAs and privileged user accounts, and attacks directed at sensitive accounts such as KRBTGT. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact. The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call," said Yuval Gordon, Security Researcher at Akamai. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments. This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit," said Tomer Nahum, Security Researcher at Semperis. The vulnerability is present in any organisation that operates at least one domain controller running Windows Server 2025. According to Semperis, a single misconfigured domain controller can place the entire environment at risk. Until vendors release an official patch, organisations are encouraged to audit dMSA permissions and use detection tools to monitor for misuse. Semperis is reinforcing cybersecurity for enterprises by protecting critical identity services that underpin hybrid and multi-cloud environments. Purpose-built for securing complex identity infrastructures — including Active Directory, Entra ID, and Okta — Semperis' AI-powered platform safeguards more than 100 million identities from cyberattacks, data breaches, and operational missteps. Headquartered in Hoboken, New Jersey, the privately held international company supports major global brands and government agencies, with customers spanning over 40 countries. Beyond its core technology offerings, Semperis is recognized for its commitment to the cybersecurity community. The company sponsors a range of industry resources, including the award-winning Hybrid Identity Protection (HIP) Conference, the HIP Podcast, and free identity security tools such as Purple Knight and Forest Druid. With its dual mission to protect digital infrastructure and empower the security community, Semperis continues to play a pivotal role in advancing global cyber resilience. Follow us on: Share on:
Forbes
21-05-2025
- Forbes
New Windows Server 2025 Attack Compromises Any Active Directory User
New Windows Server 2025 vulnerability confirmed. Although you are far more likely to read about vulnerabilities impacting the Windows operating system, including those that have long since reached end-of-support status such as Windows 7, this doesn't mean that Windows Server users are not in the crosshairs of threat actors. Far from it, and not just legacy versions either, as security researchers reveal a new, and trivial to implement, Windows Server 2025 vulnerability that could compromise any Active Directory user. Here's what you need to know. Privilege escalation vulnerabilities are among the worst you can be faced with, as, rather obviously, they enable a successful attacker to do way more than they should be able to given the lack of permissions they started with. Yuval Gordon, a senior security researcher at Akamai Technologies, has exclusively shared details of a particularly concerning privilege escalation vulnerability impacting Windows Server 2025. Not only because, as Gordon explained, it allows an attacker to 'compromise any user in Active Directory,' but also as it 'works with the default configuration, and is trivial to implement.' If you thought things couldn't get any worse, you'd be wrong: no patch is currently available. Akamai has named the vulnerability and associated exploit as BadSuccessor, and confirmed that it abuses the delegated Managed Service Account feature introduced with Windows Server 2025. 'In 91% of the environments we examined,' Gordon said, 'we found users outside the domain admins group that had the required permissions to perform this attack.' BadSuccessor might be trivial to implement, but the consequences of a successful attack are far from the same. Full attack flow, showing all steps needed to have a BadSuccessor. A key feature of dMSA is the ability to migrate existing and non-managed service accounts by seamlessly converting them into dMSAs, and it's this that is the issue. 'By abusing dMSAs, attackers can take over any principal in the domain,' Gordon said. All an attacker needs to be able to exploit the BadSuccessor vulnerability is a seemingly benign permission on any organizational unit in the domain. Here's the real killer though: as long as you have one Windows Server 2025 domain controller, your domain doesn't even need to be using dMSAs at all, the exploit will work anyway. I would advise every Windows Server administrator to read the full report in its entirety, and as a matter of some urgency. In the meantime, I spoke with Yuval Gordon who reiterated that BadSuccessor is not only 'so dangerous because the attack is so simple,' but added that Akamai researchers were 'surprised that we were first to discover it.' The only good news, such as it is, would be that there is no evidence to conclusively show that BadSuccessor has been exploited by attackers in the wild at this point, but given that 'most organisations aren't currently monitoring the relevant events,' Gordon said it's hard to say for certain . Gordon recommended that organizations and admins need to identify which users have the specific permissions that make this attack possible, and, having done so, review and remove unnecessary permissions. 'We're releasing a PowerShell script alongside the blog post to help with that,' Gordon told me, so that would be a good starting point. 'It highlights exactly which users have risky access so defenders know where to focus,' Gordon concluded. I reached out to Microsoft for a statement, and a spokesman said: 'We appreciate Akamai for identifying and responsibly reporting this issue. After careful investigation, this case was rated as a Moderate severity that does not meet our bar for immediate servicing, as the technique requires elevated user permissions to be successful. We will look to address this issue in a future update.' Microsoft also said that for BadSuccessor to be successful, an attacker would require access to the msds-groupMSAMembership attribute of the dMSA. This attribute allows the user to utilize the The attacker needs write access to this attribute, which allows them to specify a user, such as an administrator, that the dMSA can act on behalf of. All users of Windows Server 2025 are advised to take action and protect against the threat until Microsoft issues a fix.
Associated Press
13-05-2025
- Business
- Associated Press
Technical Research Report: Analyzing the Benefits of Windows Server® 2025 OEM Licensing and Dell™ PowerEdge™ R770 Servers
Bellevue, WA May 12, 2025 --( )-- A total cost of ownership (TCO) study conducted by Prowess Consulting reveals that the Windows Server® 2025 OEM license that comes preinstalled on Dell™ PowerEdge™ R770 servers delivers significant savings in both capital expenditures (CapEx) and operating expenses (OpEx) compared to a traditional volume-licensed, manually installed version.* Additional benefits of Windows Server 2025 include enhanced security capabilities, with multi-layered security rooted in hardware, in addition to hotpatching updates. To investigate how Windows Server 2025 can help small to medium-sized businesses (SMBs) address today's business and operational challenges, Prowess Consulting compared the benefits of Windows Server 2025 OEM licensing preinstalled on PowerEdge R770 servers to traditional, manually installed volume licensing. They also examined the new and enhanced capabilities of Windows Server 2025 versus Windows Server 2022. The study's results indicate that the latest version of Windows Server with OEM licensing can help SMBs modernize infrastructure, significantly lower TCO, protect against cyber threats, and meet regulatory requirements. 'Standardizing server environments with Windows Server 2025 OEM licensing preinstalled on PowerEdge R770 servers can significantly lower TCO,' says Ben Fuller, Prowess Consulting Account Director. 'Compared to traditional volume licensing, OEM licensing costs less, streamlines software procurement, reduces manual intervention, accelerates server deployment, and significantly lowers CapEx and OpEx.' Windows Server 2025 installed on PowerEdge R770 servers enables SMBs to adopt a zero-trust security model rooted in hardware. Multi-layered, hardware-enforced, and automated security features like hotpatching enhance an organization's security strategy without requiring specialized expertise. Other future-ready enhancements help boost AI and machine learning (ML) performance, scale infrastructure from edge to cloud, improve operational efficiency, and streamline DevOps. Particularly of benefit for organizations with limited IT resources is the OEM licensing's technical support package, which is superior to that of traditional licensing. To learn more about the benefits of deploying a Windows Server 2025 OEM license preinstalled on a Dell PowerEdge R770 server, visit to view the full technical research report, research abstract, methodology, and infographic. To learn more about Microsoft OEM software solutions from Dell Technologies, visit *The analysis and reporting were done by Prowess Consulting and commissioned by Dell Technologies. About Prowess Consulting Prowess Consulting has partnered with technology innovators for more than 20 years, delivering trusted, high-quality solutions and strategic expertise to support their growth and operations. Prowess Consulting is located in Bellevue, Washington, USA. For more information, visit Contact Information: Prowess Consulting Ben Fuller 206-443-1117 Contact via Email Read the full story here: Technical Research Report: Analyzing the Benefits of Windows Server® 2025 OEM Licensing and Dell™ PowerEdge™ R770 Servers Press Release Distributed by
Forbes
29-04-2025
- Forbes
New Windows 7 And Windows Server 2008 Security Updates Confirmed
Windows 7 users get good security update news. NurPhoto via Getty Images Security updates are very much in the news at the moment, what with a no-reboot patching feature for Windows 11 and Microsoft's announcement that hotpatching will cost at least $1.50 per core for Windows Server 2025 users. Yet, with hundreds of security vulnerabilities being uncovered that impact Windows users, and cybercriminals evolving to strike at record speed, the matter of keeping on top of security updates has never been more vital. Unless you are a user of a Windows platform that has reached end-of-support status, such as Windows 7 or Windows Server 2008 R2, for example. There simply are no security patches available for these two platforms. Or are there? I have some good news for you if you just can't bear to part ways with your favourite Windows computer. The secret to the continuing availability of security patches to protect your systems if you are a hardened Windows 7 or Windows Server 2008 R2 user has been hinted at in a number of my articles. On March 27, I reported how a zero-day vulnerability impacting everything from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025 could be mitigated even though Microsoft didn't have any official patch at the time. Back on Dec 7, 2024, I reported how another zero-day, impacting all Windows users, could be fixed using the same method. Those fixes came by way of a micro patching service called 0patch — the same service that can now save you if you want to keep your legacy Windows systems alive and protected. 0patch addresses the vulnerability gap between zero-days being discovered and any official patch being released. It does this by providing what it refers to as micro patches, much like the subscription fee incurring Windows Server 2025 hot patch system. These work by applying the fix in memory without disturbing the process itself and without requiring any reboots. Posting to X, formerly known as Twitter, on April 29, Mitja Kolsek, the CEO of ACROS Security, the company behind 0patch, said: 'Due to (wow!) growing demand, we've decided to extend support for Windows 7 and Windows Server 2008 R2 with security patches for another year (Jan/2027). Reminder: our security patches are the only security patches existing for these Windows versions.' Wow, indeed. So, if you are a user of either platform, now is the time to reach out and get those micro patch security updates to protect your systems and your data. You only have one other choice, it would seem, and that's to remain at risk of attack.
