Akamai has stirred controversy in the cybersecurity world by publishing full exploitation details for a serious privilege-escalation vulnerability in Windows Server 2025. The flaw—dubbed BadSuccessor—affects delegated Managed Service Accounts (dMSAs), a new feature in Server 2025 designed to modernize legacy service account management. The flaw allows attackers with minimal permissions to hijack Active Directory user privileges without touching sensitive group memberships or triggering standard privilege escalation alerts.
Akamai researcher Yuval Gordon said Microsoft acknowledged the vulnerability but assigned it a “moderate” severity rating, declining to issue an immediate patch. That decision prompted Akamai to go public, citing the widespread risk and the default enablement of dMSA support in Server 2025 domain controllers.
“The KDC never questions the bloodline”
Gordon’s analysis centers around how dMSAs inherit the access rights of the original accounts they’re meant to succeed. An attacker with CreateChild permissions on an organizational unit (OU)—a permission Akamai found present in 91% of customer environments—can spin up a dMSA that inherits elevated privileges from a target service account.
“This is all the Domain Controller needs to treat us as the legitimate heir,” Gordon wrote in his technical breakdown. “No group membership changes, no Domain Admins group touch, and no suspicious LDAP writes.”
By modifying just two attributes on a newly created dMSA object, the attacker can bypass traditional defenses. Akamai argues that Microsoft’s position downplays the risk, as even non-admin users with CreateChild permissions can exploit it—and that such permissions are far more common than assumed.
Disclosure Sparks Industry Backlash and Praise
The timing and detail of Akamai’s disclosure have reignited the longstanding debate over responsible disclosure. Some researchers criticized the release of proof-of-concept (PoC) code before Microsoft had shipped a patch, arguing it exposes organizations to unnecessary risk. Others backed Akamai, saying Microsoft’s reluctance to fix impactful bugs has forced the hands of researchers.
This tension is not new. Critics say Microsoft has a pattern of underestimating or dismissing serious flaws, often requiring public pressure before acting. Supporters of Akamai’s move point out that the disclosure includes detection queries, logging recommendations, and scripts to help sysadmins identify accounts that can create dMSAs—making it a full transparency release rather than a reckless dump.
Gordon emphasized the stealthy nature of the issue: “We’ve found no indication that current industry practices or tools flag CreateChild access — or, more specifically, CreateChild for dMSAs — as a critical concern. This underlines both the stealth and severity of the issue.”
In the absence of an official patch, security teams are urged to audit permissions around dMSA creation and monitor for any unusual object creation in OUs tied to domain controllers.
