Germany’s Federal Office for Information Security (BSI) is sounding the alarm about a critical unpatched vulnerability in Active Directory on Windows Server 2025. While Microsoft
initially estimated the severity as “moderate,” the BSI has now raised the rating to 9.9 out of 10.
According to BSI, attackers can exploit this vulnerability to escalate privileges within Microsoft Windows Server 2025. Active Directory, Microsoft’s centralized directory service, manages and secures user accounts, computers, and resources across a Windows network.
Security researchers from Akamai, who publicly disclosed the flaw and named it BadSuccessor, explained that any user can be compromised in Active Directory by exploiting the delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025. This vulnerability works with the default configuration and is “trivial to implement.” Akamai warned, “It allows any user who controls a dMSA object to control the entire domain. That’s all it takes. No actual migration. No verification. No oversight.”
Golem.de reported that BSI considers the flaw critical despite Microsoft classifying it as moderate and not even assigning a CVE identifier.
“In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack,” Akamai stated.
The situation has sparked criticism of both the researchers for going public without a patch available and Microsoft for underestimating the severity of the vulnerability. Security expert Florian Roth warned that the flaw enables full domain compromise with default settings, yet no patch or fix currently exists.
“Researchers published everything anyway. Because… ‘we respectfully disagree with Microsoft’s assessment.’ So yeah, let’s just drop an end-to-end domain takeover technique online to prove a point,” Roth said.
He added, “In the end, both sides look bad. Microsoft, for being dysfunctional or apathetic. Researchers, for chasing clout over coordinated disclosure.” However, Akamai pointed out in its report that Microsoft has reviewed its findings and approved the publication.
Windows Server 2025 has been generally available since November 2024 but is not yet widely deployed. According to Roth, this limits the “real-world blast radius.” Roth also criticized Microsoft for either failing to correctly assess these vulnerabilities or for shifting focus away from on-premises Active Directory in favor of promoting its cloud-based identity and access management service, Entra ID.
While no formal patch exists yet, Akamai recommends that network defenders identify all principals—users, groups, and computers—with permissions to create dMSAs across the domain and restrict those permissions to trusted administrators only.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
