A Critical Active Directory Vulnerability SMBs Need to Address Now

Cybersecurity professionals are sounding the alarm over a newly discovered Windows Active Directory vulnerability that could allow any user to escalate privileges and compromise admin accounts. This flaw, found in the Delegated Managed Service Account (dMSA) feature, is activated by default in Windows Server 2025, making it a major risk—especially for small to midsized businesses (SMBs) that rely on Active Directory (AD) for identity management.

Understanding the Vulnerability

The Delegated Managed Service Account (dMSA) feature was introduced in Windows Server 2025 to improve security by replacing traditional service accounts, which are often targeted in Kerberoasting attacks. However, researchers at Akamai discovered that dMSAs inherit permissions from the accounts they replace, creating an unexpected privilege escalation pathway.

How the Attack Works

1. Any user with CreateChild permissions on an Organizational Unit (OU) can create a dMSA.

2. The attacker links the dMSA to a high-privilege account (such as a domain admin).

3. The Key Distribution Center (KDC) automatically grants the dMSA all permissions of the original account.

4. The attacker gains full domain control, allowing them to steal credentials, manipulate AD objects, and move laterally across the network.

Why SMBs Are at Risk

Below are some examples of why small- to midsized businesses (SMBs) in particular are at risk.

• Default Configuration Exposure: Many SMBs use default Active Directory settings, meaning they are automatically vulnerable.

• Overprivileged Users: In 91% of tested environments, non-admin users had sufficient permissions to execute this attack.

• Limited Security Resources: SMBs often lack dedicated cybersecurity teams, making them slower to detect and respond to threats.

Microsoft’s Response

Microsoft has acknowledged the vulnerability, but classified it as moderate, stating that an attacker must have specific permissions to exploit it. However, security experts argue that these permissions are more common than Microsoft suggests, making the flaw a serious concern.

How SMBs Can Protect Themselves

Until Microsoft releases a patch, organizations should take immediate action:

1. Restrict dMSA Creation: Limit who can create and modify dMSAs using Group Policy.

2. Audit Permissions: Remove CreateChild privileges from users or groups that don’t need them.

3. Monitor dMSA Activity: Enable logging for dMSA creation and attribute changes (Event IDs 5136, 5137, 5138, 5139, 5141).

4. Use Detection Tools: Run Akamai’s PowerShell script to identify users with dMSA creation permissions.

5. Stay Updated: Follow Microsoft security advisories for patch updates.

Final Thoughts

The BadSuccessor vulnerability highlights how new security features can introduce unforeseen risks. SMBs must act now to audit permissions, monitor AD activity, and restrict dMSA usage to prevent potential domain-wide compromises.

Cybersecurity is a constant battle, and staying ahead of emerging threats is the key to protecting business operations. If your organization relies on Active Directory, now is the time to review your security posture and implement proactive defenses. Let Webcheck Security help you in your security program management by running a special scan of your Active Directory or Entra ID!