Full Report
Following the disclosure of CVE-2025-4427 and CVE-2025-4428, two Ivanti EPMM vulnerabilities that can be chained for RCE, another critical security issue has emerged, posing a severe threat to organizations that rely on Active Directory (AD). A recently uncovered privilege escalation vulnerability in Windows Server 2025 gives attackers the green light to gain control over any […] The post BadSuccessor Detection: Critical Windows Server Vulnerability Can Compromise Any User in Active Directory appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Critical Active Directory 'BadSuccessor' Vulnerability Allows Domain Compromise
## CVE Details
- CVE ID: Not explicitly provided in the summary/context (Assumed to be a zero-day or non-public CVE at the time of the article).
- CVSS Score: Critical implications mentioned, but no specific score provided.
- CWE: Lacking specific CWE, related to insecure permission delegation/management.
## Affected Systems
- Products: Windows Server (Implied, specifically related to Active Directory Domain Services configuration).
- Versions: Not explicitly listed, implied for default-enabled configurations.
- Configurations: Any configuration where standard users have rights to create or modify **dMSA (Domain Controller Machine Account)** objects. This vulnerability is described as being **default-enabled**.
## Vulnerability Description
The vulnerability, dubbed "BadSuccessor," exploits a flaw in how Active Directory handles permissions related to **dMSA (Domain Controller Machine Account)** objects. An attacker who can create or modify a dMSA can leverage this capability to have the full permissions of the original user (whose dMSA is being manipulated or created) automatically transferred to their controlled dMSA. Crucially, this transfer occurs **without requiring control over the original account** and bypasses validation or approval mechanisms. This effectively grants domain-wide control to any user possessing the necessary creation/modification rights over dMSAs.
## Exploitation
- Status: No mention of exploitation *in the wild*, but the scenario describes high risk/exploitability via configuration weakness.
- Complexity: Implied to be **Low** for users with requisite permissions (i.e., those who can create/modify dMSAs).
- Attack Vector: Likely **Network** (via authenticated domain access) or **Local** if an attacker gains initial low-level access sufficient to manipulate object creation rights.
## Impact
- Confidentiality: High (Full Domain Compromise possible)
- Integrity: High (Full Domain Compromise possible)
- Availability: High (Full Domain Compromise possible)
## Remediation
### Patches
- **Patches**: None available at the time of the article. Microsoft has acknowledged the issue and intends to release a fix in the future.
### Workarounds
- **Restrict dMSA Creation/Modification:** Organizations are strongly encouraged to restrict the ability to create or modify Domain Controller Machine Accounts (dMSAs) to highly privileged users only.
- **Tighten Permissions:** Review and tighten permissions wherever feasible concerning objects related to domain controllers and machine accounts.
## Detection
- **Indicators of Compromise (IOCs):** Suspicious manipulation or creation of dMSA objects by non-standard service accounts.
- **Detection Methods and Tools:** Akamai released a **PowerShell script** available on GitHub to identify all non-default users holding rights to create dMSAs and to highlight the Organizational Units where these permissions exist. Security teams should monitor for unauthorized permissions delegated for dMSA manipulation.
## References
- Vendor Advisories: Microsoft has acknowledged the issue (no link provided in context).
- Relevant links:
- Akamai PowerShell Script for identification: `github com/akamai/BadSuccessor`
- Further analysis on SOC Prime: `socprime com/blog/detect-badsuccessor-attacks/`