Windows Server 2025 demonstrates a flaw in privilege escalation that allows users to be compromised in Active Directory (AD) users.
“The attack was introduced in Windows Server 2025 and takes advantage of the Delegated Managed Service Account (DMSA) feature, which works with default configurations and is easy to implement,” Akamai security researcher Yuval Gordon said in a report shared with Hacker News.
“This issue could be affecting most organizations that rely on AD. In 91% of the environments we investigated, users outside the domain administrators group were found with the permissions needed to carry out this attack.”
What is noteworthy about the attack route is that it takes advantage of a new feature called Delegated Managed Service Accounts (DMSAs), which allows migration from existing legacy service accounts. It was introduced in Windows Server 2025 to mitigate the Kerberoasting attack.
Attack technology is codenamed Badsuccessor by web infrastructure and security companies.
“DMSA allows users to create as a standalone account or replace existing standard service accounts,” Microsoft says in the documentation. “If DMSA replaces an existing account, it blocks authentication against an existing account using a password.”
“Requests are redirected to the Local Security Authority (LSA) and authenticated using the DMSA. DMSA has access to everything your previous account has access to in ads. DMSA automatically learns which devices use the service account used to move from all existing service accounts.”
The problem identified by Akamai is that during the DMSA Kerberos authentication phase, the privileged attribute certificate (PAC) embedded in the ticket cultivation ticket issued by the Key Distribution Center (KDC) (i.e., the credentials used to verify the identity) contains both the DMSAS security identifier (SID) and the SID of the SIDs, and both the SIDS of the SIDS.
This permission transfer between accounts can simulate the DMSA migration process to compromise users, including domain administrators, gain similar privileges, and open the door to potential privilege escalation scenarios by effectively violating the entire domain even when your organization’s Windows Server 2025 domain is not using DMSA.
“One interesting fact about this ‘simulated migration’ technique is that it doesn’t require permission to replace the account,” Gordon said. “The only requirement is to write permissions through attributes in DMSA. Any DMSA.”
“After marking the DMSA before the user, KDC will automatically have a legitimate transition and will be willing to assign any and all permissions the original user has.
Akamai reported the findings to Microsoft on April 1, 2025, and later said the tech giant had classified the issue moderately severity and that the bar was not fulfilled for immediate service as successful exploitation requires attackers to have specific permissions on the DMSA object. However, the patch is currently under construction.
Given the lack of immediate remediation of attacks, it is recommended that organizations limit their ability to create DMSAS and enhanced authority wherever possible. Akamai has also released a PowerShell script that enumerates all non-default principals that can create DMSAs and allows you to list the organizational units (OUs) that each principal has this permission.
“This vulnerability introduces previously unknown and shocking abuse paths that allow users with OU’s CreateChild permission to compromise users in the domain and gain similar power to the replication directory change privileges used to carry out DCSYNC attacks,” says Gordon.
Source link
