Windows Server 2025: Rights extension gap in AD
Akamai warns of an unpatched privilege escalation vulnerability in Windows Server 2025. Admins need to take action.
(Image: heise online / dmk)
Akamai, operator of the large content delivery network, is currently warning of a security vulnerability in the Active Directory operation of Windows Server 2025. This could allow users to extend their rights.
The cloud company has named the vulnerability “BadSuccessor”. In a blog post, Akamai discusses details of the vulnerability. According to the article, an attack abuses a function called “delegated Managed Service Account” (dMSA), which Microsoft introduced with Windows Server 2025. The default configuration is vulnerable, and an attack is trivial to implement, explains Akamai.
AD security vulnerability: Most instances affected
According to Akamai's analysis, the problem affects most organizations that use Active Directory. “In 91 percent of the environments we examined, we discovered user accounts outside the domain admin group that have the necessary rights to execute the attack,” the authors write. Microsoft is therefore planning to resolve the issue, but no patch is yet available. IT managers must therefore take measures themselves to reduce the attack surface. The solutions proposed by Akamai have been approved by Microsoft.
Videos by heise
The attack works because Microsoft has introduced “delegated Managed Service Accounts” (dMSA) in Windows Server 2025. This is a new type of service account in AD that is based on the Group Managed Service Accounts (gMSAs). The dMSAs can convert existing, unmanaged service accounts into dMSAs. When the IT researchers at Akamai poked around in the bowels of dMSAs, they came across a way to extend the rights – the company goes into more detail in the blog post.
Due to the vulnerability found, it is possible to take over every principal in a domain with dMSAs. Attackers only need a certain authorization in one of the organizational units (OUs) of the domain, namely write authorization to any dMSA. For an attack to work, it is not even necessary for dMSAs to be used in a domain –. All that is required is that at least one Windows Server 2025 is running on the network.
As a countermeasure, Akamai suggests tracking down all principals such as users, groups, and computers with authorization to create dMSAs in the domain and restricting this authorization to “trusted administrators”. Akamai provides a Powershell script that lists the non-standard principals that are allowed to create dMSAs and outputs the OUs for which the principals have this authorization.
It is still completely unclear when Microsoft will fix the vulnerability in Windows Server 2025.
(dmk)
