An epic battle has broken out between global cyber security and cloud services provider, Akamai, and tech behemoth Microsoft over the critical nature of a newly discovered security vulnerability in the upcoming Windows Server 2025.
Called “BadSuccessor” by Akamai’s security research team, the vulnerability can be used by an attacker with low privilege access to introduce further permissions and potentially compromise the entire Active Directory domain.
The flaw (CVE-2022-23769), which was disclosed in a recent blog published by Akamai researcher Yuval Gordon, revolves around the new Delegated Managed Service Accounts (dMSAs) functionality that was added to Windows Server 2025. These dMSAs are built to help migrate away from older service accounts.
However, Akamai found that by abusing the dMSA creation and migration mechanism, any unprivileged user with the “CreateChild” permission on an OU (Organisational Unit) can easily masquerade as any other user in the domain, including administrators.
Akamai notes that their telemetry data indicates that in 91% of the environments they observed at least one non-admin user already has the required “CreateChild” rights, meaning the attack vector is wide open.
This allows for a more covert form of privilege-escalation as traditional alerts won’t be raised and you don’t need to modify group memberships. Akamai has even published a PowerShell script to make it easier for companies to figure out which users have the problematic permissions.
Microsoft, however, rated the vulnerability as “moderate” on severity scale. According to their correspondence with Akamai, they stated that the exploit needs to have certain existing permissions indicating the level of access it has rather than propagate it to all accounts, meaning that it is not as severe.
They said a patch is in the works but did not say when it would be out.
This discrepancy on severity is why Akamai chose to release complete technical details and proof-of-concept code for “BadSuccessor” before a patch has been published.
The move has sparked a long standing debate within the security community around responsible disclosure with some, including criticising Akamai for risking exposing organisations before there has been a fix.
On the other hand, some in the security community contend that Microsoft’s attempt to downplay the severity of the threat should be muted by public consensus in the interest of driving more rapid response and proactive countermeasures.
Akamai is standing behind their determination that the exploit is high impact, low complexity and that it introduces a new abuse vector.
They caution, however, that this exploit could enable an attacker with powers equivalent to the “Replicating Directory Changes” privilege which is commonly seen in advanced DCSync attacks.
With no concrete patch response from Microsoft currently in place, Akamai recommends that organizations limit the capability to create dMSAs and “take a careful look at & harden extended permissions around OU creation to lessen the impact of the ‘BadSuccessor’ vulnerability in Windows Server 2025.”
The spat underlines the difficulties of discovering vulnerabilities and the trade-offs of releasing them to the world quickly versus working to keep users safe.
