Akamai’s security team kicked off a new spat in the vulnerability disclosure world by publishing full exploitation details for “BadSuccessor,” an unpatched privilege-escalation flaw in Windows Server 2025 that allows attackers to compromise any user in Active Directory.
According to Akamai researcher Yuval Gordon, Microsoft’s security response center confirmed the validity of the bug but brushed it aside as a “moderate” severity issue that would be patched “in the future.”
“While we appreciate Microsoft’s response, we respectfully disagree with the severity assessment,” Gordon argued in a blog post that included proof-of-concept code that turns an obscure service-account migration feature into a significant security risk.
Gordon said the weak spot lives in delegated Managed Service Accounts, or dMSAs, a brand-new account class introduced with Server 2025. The dMSAs were meant to replace clunky legacy service accounts but Gordon found that they inherit whatever powers the original account enjoyed.
He provided technical documentation to show the steps an unprivileged user can take to create a fresh dMSA that’s treated as a legitimate heir.
“This is all the Domain Controller needs to treat us as the legitimate heir. Remember: No group membership changes, no Domain Admins group touch, and no suspicious LDAP writes to the actual privileged account are needed,” Gordon said.
“With just two attribute changes, a humble new object is crowned the successor — and the KDC never questions the bloodline; if the link is there, the privileges are granted. We didn’t change a single group membership, didn’t elevate any existing account, and didn’t trip any traditional privilege escalation alerts,” he explained.
Akamai surveyed customer telemetry and found that in 91 percent of environments, at least one non-admin user already holds the problematic Create-Child rights in an organizational unit.
Gordon notes that those rights are enough to spin up a dMSA but Microsoft reduced the severity because attackers would need “specific permissions indicative of elevated access.” Because Windows Server 2025 domain controllers enable dMSA support by default, Gordon said organizations inherit the risk simply by adding a 2025 DC to an existing Active Directory forest.
He said that that default stance is what finally pushed Akamai to publish after notifying the software giant on April 1 and learning that a patch won’t be immediately available.
“[They] assessed it as a Moderate severity vulnerability, and stated that it does not currently meet the threshold for immediate servicing,” Gordon said.
He warned that the vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain “and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks.”
“Furthermore, we’ve found no indication that current industry practices or tools flag CreateChild access — or, more specifically, CreateChild for dMSAs — as a critical concern. We believe this underlines both the stealth and severity of the issue,” Gordon added.
The decision to disclose before a patch reignited the old responsible-disclosure debate. On social media, some researchers criticized Akamai for publishing full details of the attack patch before a patch is available. On the flip side, old-school hackers say Microsoft has a history of misdiagnosing and declining to fix serious security problems.
In the absence of an official patch, Akamai has published detection queries, logging guidance, and a script to locate principals that can create dMSAs.
Related: Microsoft’s Security Chickens Have Come Home to Roost
Related: Pressure on Software Vendors Shipping Faulty, Incomplete Patches
Related: Microsoft Purges Dormant Azure Tenants, Rotates Keys to Prevent Repeat Nation-State Hack
Related: After Major Cloud Hacks, Microsoft Unveils ‘Secure Future Initiative’
