Microsoft

A vulnerability known as BadSuccessor in Windows Server 2025’s delegated Managed Service Account (dMSA) feature has been weaponized by a proof-of-concept exploit tool called SharpSuccessor. This tool allows attackers with minimal Active Directory permissions to escalate privileges to the domain administrator level, raising serious security concerns for enterprise environments worldwide. The vulnerability leverages the dMSA migration mechanism and requires only CreateChild permissions over any Organizational Unit (OU) to function. Exploiting this vulnerability could lead to unauthorized access and potential data breaches within organizations.

Source: https://cybersecuritynews.com/sharpsuccessor-poc-badsuccessor/

TPRM report: https://scoringcyber.rankiteo.com/company/microsoft

"id": "mic632052625",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "5/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'type': 'Organization'}],
 'attack_vector': 'Exploiting dMSA migration mechanism by manipulating '
                  'msDS-ManagedAccountPrecededByLink and '
                  'msDS-DelegatedMSAState attributes',
 'description': 'A proof-of-concept exploit tool called SharpSuccessor that '
                'weaponizes the recently discovered BadSuccessor vulnerability '
                'in Windows Server 2025’s delegated Managed Service Account '
                '(dMSA) feature. The .NET-based tool, developed by Logan '
                'Goins, demonstrates how attackers with minimal Active '
                'Directory permissions can escalate privileges to the domain '
                'administrator level, raising serious concerns about the '
                'unpatched vulnerability affecting enterprise environments '
                'worldwide.',
 'impact': {'operational_impact': 'Potential unauthorized access to domain '
                                  'controllers',
            'systems_affected': 'Windows Server 2025 environments'},
 'initial_access_broker': {'entry_point': 'dMSA migration mechanism',
                           'high_value_targets': 'Domain Administrator '
                                                 'accounts'},
 'lessons_learned': 'The release of SharpSuccessor underscores the critical '
                    'need for proactive security measures, as the tool '
                    'transforms a complex privilege escalation technique into '
                    'an easily deployable attack vector accessible to less '
                    'sophisticated threat actors.',
 'motivation': 'Privilege Escalation',
 'post_incident_analysis': {'corrective_actions': ['Implement Akamai’s '
                                                   'detection script '
                                                   'Get-BadSuccessorOUPermissions.ps',
                                                   'Restrict dMSA creation '
                                                   'permissions to trusted '
                                                   'administrators only'],
                            'root_causes': 'Vulnerability in Windows Server '
                                           '2025’s dMSA feature'},
 'recommendations': ['Implement Akamai’s detection script '
                     'Get-BadSuccessorOUPermissions.ps',
                     'Restrict dMSA creation permissions to trusted '
                     'administrators only'],
 'response': {'remediation_measures': ['Implement Akamai’s detection script '
                                       'Get-BadSuccessorOUPermissions.ps',
                                       'Restrict dMSA creation permissions to '
                                       'trusted administrators only']},
 'title': 'BadSuccessor Vulnerability Exploited by SharpSuccessor Tool',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'BadSuccessor'}