Windows Server 2025 dMSA exploit lets hackers take domain control

Domain Level Compromise via dMSA Exploit

While testing Delegated Managed Service Accounts (dMSA) on Windows Server 2025 I found another way to compromise Active Directory environments. DMSA provides another way to escalate privileges to any user account (even domain admins!) by mismanaging dMSA objects. The BadSuccessor exploit published by Akamai relies on a misconfigured default permission; so if you have dMSA misconfigured in many enterprise environments it’s likely.

Exploit Brief

In short, Delegated Managed Service Accounts (dMSA) were introduced in Windows Server 2025 to replace service accounts to minimize exposure to Kerberoasting. The exploit is focused on the msDS-ManagedAccountPrecededByLink attribute which allows a dMSA to use rights via a link to a parent account when moving from a predecessor account.

A user who has CreateChild permission on any Organizational Unit (OU) can find this attack vector by linking the msDS-ManagedAccountPrecededByLink attribute to any high privilege account. None of this requires access to the predecessor user account or its credentials.

Once the link is established, the Key Distribution Center (KDC) treats the dMSA as a legitimate successor. The Kerberos Privilege Attribute Certificate (PAC) includes both the dMSA's security identifier and those of the predecessor account and its groups. This results in privilege inheritance sufficient to perform sensitive operations including credential replication.

Exploitation Prerequisites

The following must be true to exploit:

1. The attacker has CreateChild on at least one OU.

2. The domain has at least one Windows Server 2025 domain controller.

3. The attacker can create or modify dMSA objects in the directory.

Akamai found 91% of the environments they assessed had these conditions met because of over-privileged permissions.

Impact and Exposure

Exploitation allows the attacker to do domain level operations like Replicating Directory Changes and Replicating Directory Changes All. This includes DCSync, NTLM hash extraction and user impersonation.

Having a Windows Server 2025 domain controller is enough for exposure. dMSAs in production are not required. Exploitation is low complexity and doesn’t require advanced technical skills once permissions are obtained.

Microsoft’s Assessment and Current Status

Microsoft has acknowledged the vulnerability but rated it as moderate. Microsoft says the exploit requires write permissions to dMSA objects so it doesn’t meet criteria for out-of-band servicing.

A patch is being worked on. No timeline.

Recommended Mitigations

System admins should do the following asap:

• Block creation and modification of dMSA objects-> Tighten up who can create or modify dMSA objects using Group Policy or Active Directory delegation.

• Audit the rd and dms access control lists for Organizational Units (OU)-> Remove CreateChild privileges from users/groups that don’t need it.

• Audit dMSA creation and changes-> Enable auditing and monitor for these Event ID’s:

    ◦ 5137 dMSA creation

    ◦ 5136 dMSA attribute changes (especially msDS-ManagedAccountPrecededByLink)

    ◦ 2946 Kerberos authentication via dMSA

• Use detection tooling-> Use the Akamai PowerShell script to find users with dMSA creation permissions and audit the affected Organizational units.

Conclusion

dMSA in Windows Server 2025 is a privilege escalation vector. But poor permission delegation in Active Directory will give an attacker the opportunity to own the domain if they can create a dMSA object. Until Microsoft patches this, you should do permission audits and monitor for dMSA object creation/changes to try and prevent exploitation.

More For You

India vs Pakistan just fought the first war coded by machines not men 

M&S malware attack explained step by step how the hackers broke everything 

GenAI cybersecurity threats redefine digital risks in 2025 

Steam Game Downloads Used to Target Users with Malware