New Windows Server 2025 Attack Compromises Any Active Directory User
New Windows Server 2025 vulnerability confirmed.
Although you are far more likely to read about vulnerabilities impacting the Windows operating system, including those that have long since reached end-of-support status such as Windows 7, this doesn't mean that Windows Server users are not in the crosshairs of threat actors. Far from it, and not just legacy versions either, as security researchers reveal a new, and trivial to implement, Windows Server 2025 vulnerability that could compromise any Active Directory user. Here's what you need to know.
Privilege escalation vulnerabilities are among the worst you can be faced with, as, rather obviously, they enable a successful attacker to do way more than they should be able to given the lack of permissions they started with. Yuval Gordon, a senior security researcher at Akamai Technologies, has exclusively shared details of a particularly concerning privilege escalation vulnerability impacting Windows Server 2025. Not only because, as Gordon explained, it allows an attacker to 'compromise any user in Active Directory,' but also as it 'works with the default configuration, and is trivial to implement.' If you thought things couldn't get any worse, you'd be wrong: no patch is currently available.
Akamai has named the vulnerability and associated exploit as BadSuccessor, and confirmed that it abuses the delegated Managed Service Account feature introduced with Windows Server 2025. 'In 91% of the environments we examined,' Gordon said, 'we found users outside the domain admins group that had the required permissions to perform this attack.' BadSuccessor might be trivial to implement, but the consequences of a successful attack are far from the same.
Full attack flow, showing all steps needed to have a BadSuccessor.
A key feature of dMSA is the ability to migrate existing and non-managed service accounts by seamlessly converting them into dMSAs, and it's this that is the issue. 'By abusing dMSAs, attackers can take over any principal in the domain,' Gordon said. All an attacker needs to be able to exploit the BadSuccessor vulnerability is a seemingly benign permission on any organizational unit in the domain. Here's the real killer though: as long as you have one Windows Server 2025 domain controller, your domain doesn't even need to be using dMSAs at all, the exploit will work anyway.
I would advise every Windows Server administrator to read the full report in its entirety, and as a matter of some urgency. In the meantime, I spoke with Yuval Gordon who reiterated that BadSuccessor is not only 'so dangerous because the attack is so simple,' but added that Akamai researchers were 'surprised that we were first to discover it.' The only good news, such as it is, would be that there is no evidence to conclusively show that BadSuccessor has been exploited by attackers in the wild at this point, but given that 'most organisations aren't currently monitoring the relevant events,' Gordon said it's hard to say for certain .
Gordon recommended that organizations and admins need to identify which users have the specific permissions that make this attack possible, and, having done so, review and remove unnecessary permissions. 'We're releasing a PowerShell script alongside the blog post to help with that,' Gordon told me, so that would be a good starting point. 'It highlights exactly which users have risky access so defenders know where to focus,' Gordon concluded.
I reached out to Microsoft for a statement, and a spokesman said: 'We appreciate Akamai for identifying and responsibly reporting this issue. After careful investigation, this case was rated as a Moderate severity that does not meet our bar for immediate servicing, as the technique requires elevated user permissions to be successful. We will look to address this issue in a future update.'
Microsoft also said that for BadSuccessor to be successful, an attacker would require access to the msds-groupMSAMembership attribute of the dMSA. This attribute allows the user to utilize the dMSA.msds-ManagedAccountPrecededByLink. The attacker needs write access to this attribute, which allows them to specify a user, such as an administrator, that the dMSA can act on behalf of.
All users of Windows Server 2025 are advised to take action and protect against the threat until Microsoft issues a fix.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
TechCrunch
29 minutes ago
- TechCrunch
Snapchat adds new tools for building Bitmoji games
Snapchat is launching new Lens Studio tools that AR creators and developers can use to build Bitmoji games, the company told TechCrunch exclusively. The company is also releasing a Bitmoji Suite as well as new assets for games. With Lens Studio 5.10, the new games assets offer developers new ways to build dynamic games Lenses, the company said. We're getting a turn-based system to enable back-and-forth gameplay, as well as the ability to Snap and respond to a challenge or turn in the same game. There's also a new customizable Character Controller that supports different gameplay styles, including third-person, first-person, side-scroller, and top-down perspectives. The leaderboard has also been updated with new templates for start and end screens, a standardized and hybrid view of friends and global scores, and new friend-related metrics, like 'friends who have played.' The Bitmoji Suite brings new tools for personalizing and animating Bitmoji. Users can now design custom outfits for Bitmoji, generate stylized props, and animate them using Snap's library. Image Credits:Snap The company is also launching a new collection of single-player and turn-based Bitmoji Game Lenses that users can play and challenge friends in. The new Lenses include Bitmoji Bistro, Bitmoji Bucket, and Bitmoji Blast. Users can already play a number of game Lenses built by AR developers, but this is the first time Snap has introduced a collection of Bitmoji Game Lenses designed around challenging your friends. 'Lens Studio empowers our vibrant community of over 375,000 AR creators, developers, and teams to seamlessly build and publish Lenses, so we're excited to give them even more tools to create,' the company said in an email to TechCrunch. Techcrunch event Save now through June 4 for TechCrunch Sessions: AI Save $300 on your ticket to TC Sessions: AI—and get 50% off a second. Hear from leaders at OpenAI, Anthropic, Khosla Ventures, and more during a full day of expert insights, hands-on workshops, and high-impact networking. These low-rate deals disappear when the doors open on June 5. Exhibit at TechCrunch Sessions: AI Secure your spot at TC Sessions: AI and show 1,200+ decision-makers what you've built — without the big spend. Available through May 9 or while tables last. Berkeley, CA | REGISTER NOW Snapchat also said that developers can register for a chance to win cash prizes for using Bitmoji Suite and Games assets with its Bitmojiverse Challenge.
Fast Company
35 minutes ago
- Fast Company
This viral app lets users upload fake workouts to Strava
'Believe nothing. not even people's runs,' a viral post on X reads. The accompanying video shows a program that maps running or cycling routes, which users can then upload to online exercise-tracking platforms like Strava and Maprunner—all without ever lacing up their shoes. 'Insane, I hate it and I love it. great work,' the X user added. The website, called Fake My Run, is described by its developer Arthur Bouffard, 26, in a recent interview with The New York Times, as 'truly a milestone in lazy technology innovation.' On the site, users can draw or choose a route on a map, set a pace, date, and start time, and even input heart rate data. They then add a name and description before downloading a fake workout summary—for just $0.42 per file. If this sounds insane, that's exactly the point. 'It's like cheating at solitaire,' one X user put it. But Bouffard, a runner himself, created Fake My Run after growing disillusioned with the evolving culture of the sport. 'Running used to be a very personal sport that was mainly practised to challenge yourself, to improve your physical and mental health, to stay in shape, to compete with others, to discover new parts of the world, etc,' he explained in a post on X. 'In the last couple of years, I've seen running increasingly shift towards becoming a social status and way of signalling a lifestyle.' Running is booming. The number of people in running clubs has risen by 25% in the U.S. over the past five years, according to Running USA. Some now list marathon times on their résumés. These days, if you didn't post your 5km PB on Instagram or Strava, did it even happen? Would you still run a marathon if the catch was that you could never mention it or post about it? Even more extreme, Bouffard says, are the so-called Strava mules—people paid $10–20 to log fake runs for others seeking virtual praise without any of the sweat. ''Like social media though, running posts can be faked. Which is in part why I made Fake My Run. As a way to challenge the culture shift around running,' Bouffard continued. Although Bouffard insists the app is intended purely for entertainment and educational purposes, the fitness platforms it satirizes aren't amused. A spokesperson for Strava told the Times the company has 'already taken steps to delete activities and ban accounts that have used Fake My Run.' Since launching, the site has attracted more than 200,000 visitors, and around 500 have purchased tokens to generate fake runs. So, next time your Strava rival shaves 10 minutes off their personal best—maybe take it with a pinch of salt.
Entrepreneur
43 minutes ago
- Entrepreneur
Klarna Pilots a Visa Debit Card, Taking on Big Banks
Five million customers are already on the waitlist for the Klarna Card. Klarna, the $14.6 billion fintech startup known for its "buy now, pay later" installment loans, is expanding its offerings and better competing with traditional banks by piloting its first Visa debit card. Klarna announced on Tuesday that it's trialing the Klarna Card, a debit card with traditional features, including storing money and making deposits. But unlike a regular bank-issued debit card, there's a key difference: at the point of sale, users can choose to pay in full or finance a purchase through an installment plan, such as the "Klarna Pay in 4," an interest-free loan paid in four monthly installments. Related: Klarna's CEO Used an AI Clone of Himself to Report Quarterly Earnings. Here's Why. Debit functionality is available to all Klarna Card users by default, while installment loans are given on a case-by-case basis after a credit check. Klarna will tack on a $1 to $3 charge for every transaction using an installment plan, the company told CNET. "We consistently hear from consumers that they want the freedom to choose how and when to pay — whether that's paying now with debit or spreading the cost over time," said David Sandström, chief marketing officer at Klarna, in a press release. "They want simplicity, flexibility, and transparency — all in one place. That's exactly what has made Klarna payment methods so popular online, and now that same experience is coming to a physical card." According to the release, five million customers are already on the waitlist for the Klarna Card, which is currently undergoing a trial phase in the U.S., with broader availability expected in the U.S. and Europe later this year. The card is available in three colors: aubergine, black, and green. Once fully rolled out, the card will offer a free tier and two paid tiers called "Member" and "Plus," which will cost $3.49 and $7.99 a month, respectively. The paid tiers will unlock cashback rewards and merchant discounts. Related: 'Not Necessarily Super Excited About This': Klarna's CEO Says AI Can Take Over All Jobs, Including His Own Klarna, which has over 100 million global active users according to its first-quarter 2025 results, is attempting to broaden its offerings ahead of a possible initial public offering. Klarna CEO Sebastian Siemiatkowski told CNBC's "The Exchange" last month that Klarna was "basically a neobank" and that he wanted Americans to associate the company with a broader set of features beyond buy now, pay later. Klarna is the biggest "Pay in 4" loan company in the U.S., driving 33% of Klarna's revenue growth in Q1, with revenue rising 15% year-over-year to hit $701 million. The company filed for a U.S. IPO in March that would have valued the company at around $15 billion, but paused its plans in April due to market uncertainty. The initial public offering prospectus showed that the company brought in $2.8 billion in revenue in 2024. Klarna was founded in 2005 and has enabled buy-now, pay-later loans to go mainstream over the past two decades. In March, Klarna became Walmart's exclusive buy now, pay later provider. Related: Robinhood Is Offering a Credit Card for the First Time — and It's Available in 10-Karat Gold
