A new proof-of-concept tool named SharpSuccessor is now publicly available, providing attackers with an automated method to exploit a critical privilege escalation vulnerability in Windows Server 2025’s delegated Managed Service Accounts (dMSA) feature. Researchers have dubbed the underlying flaw “BadSuccessor,” and it allows adversaries with modest Active Directory permissions to rapidly gain Domain Admin-level access, potentially leading to full forest compromise.

The exploit chain, detailed in a technical write-up published by cybersecurity researchers and confirmed by multiple independent analysts, leverages default Active Directory configurations and insufficient attribute validation in the dMSA migration process. At the heart of the issue is the msDS-ManagedAccountPrecededByLink attribute, which is designed to facilitate seamless migration by linking a dMSA to a source account. However, the implementation in Windows Server 2025 fails to properly check the integrity of this linkage, opening a clear path for abuse.

The Anatomy of BadSuccessor

When an organization deploys dMSAs, the Active Directory Key Distribution Center (KDC) processes Kerberos requests for these accounts based on the linked identity. The vulnerability stems from the fact that any security principal with CreateChild permissions on an Organizational Unit (OU) can create a rogue dMSA object and point its msDS-ManagedAccountPrecededByLink attribute to a high-privilege account—such as a Domain Admin. Once this attribute is set, the KDC will issue Kerberos Ticket Granting Tickets (TGTs) and service tickets for the spoofed identity, effectively allowing the attacker to impersonate the targeted account without ever needing its credentials.

“This is not a flaw in Kerberos itself, but in the way Windows Server 2025 validates—or rather, fails to validate—who can set that critical link attribute,” explained one researcher familiar with the exploit. “It’s a classic case of insecure default design.” Independent verification on Windows Server 2025 preview builds confirmed the feasibility of the attack, with test environments succumbing to full domain compromise in minutes.

SharpSuccessor: Automated Exploitation in Three Stages

The SharpSuccessor tool transforms and elevates what might otherwise be a manual, multi-step attack into a streamlined process. It integrates with existing offensive tools like Rubeus to handle Kerberos ticket manipulation, making the exploit accessible even to less-skilled adversaries. The attack unfolds in three distinct phases:

Stage 1: Malicious dMSA Creation
An attacker who has obtained CreateChild rights on a target OU—either through misconfiguration, inherited permissions, or prior compromise—executes a simple command:

SharpSuccessor.exe add /impersonate:Administrator /path:"ou=test,dc=lab,dc=lan" /account:jdoe /name:attacker_dMSA

This command creates a new dMSA named attacker_dMSA, linking it via the vulnerable attribute to the domain’s Administrator account. No administrative privileges are required beyond the ability to create objects in the specified OU.

Stage 2: Kerberos Ticket Manipulation
With the rogue dMSA in place, the attacker leverages Rubeus to request Kerberos tickets:

Rubeus.exe tgtdeleg /nowrap
Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/lab.lan /opsec /dmsa /nowrap /ptt

The first command delegates a TGT, while the second requests a service ticket for the krbtgt service, effectively impersonating the Administrator through the forged attribute linkage. The /dmsa flag tells Rubeus to handle the dMSA-specific interaction, and /ptt passes the ticket directly into the current session.

Stage 3: Full Domain Compromise
Finally, the attacker requests a service ticket for the domain controller’s CIFS service:

Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/WIN-RAEAN26UGJ5.lab.lan /opsec /dmsa /nowrap /ptt

With this ticket, the attacker can mount the domain controller’s file shares, extract credentials, or perform “pass-the-ticket” attacks to move laterally. From there, generating Golden Tickets for persistent access is straightforward.

“SharpSuccessor reduces a complex AD attack to a few lines of code,” noted a penetration tester who reviewed the tool. “Organisations that haven’t tightened their OU permissions are essentially handing over their domain.”

gMSA vs dMSA: A Comparative Look

To understand why BadSuccessor is so dangerous, it helps to compare the older group Managed Service Accounts (gMSA) with the new delegated variant. gMSAs have long been used for automated service identity management, but their attack surface was generally limited to Kerberoasting—brute-forcing weak service account passwords. That attack requires significant effort and doesn’t grant immediate escalation.

Feature gMSA dMSA (Pre-Mitigation)
Authentication Binding Domain-wide Machine-specific
Primary Exploit Kerberoasting Attribute hijacking (BadSuccessor)
Secret Storage Automatic rotation in AD Machine-bound, but linkable to any identity
Privilege Escalation Risk Medium (offline cracking) Critical (instant impersonation)

dMSAs were introduced to bind service identities to specific machines, reducing the blast radius. Yet the very mechanism meant to enforce that binding—the linkage attribute—has become a vector for instant privilege escalation. “It’s an ironic twist,” says a senior AD architect. “The feature designed to tighten security has, in its current form, opened one of the most direct paths to Domain Admin we’ve seen in years.”

Why This Vulnerability Is So Severe

Several factors converge to make BadSuccessor a top-tier threat:

  • Low privilege barrier: Only CreateChild rights on an OU are needed—a permission commonly delegated to service desk staff or even automated provisioning scripts. In complex enterprise environments, auditing and revoking these rights is often overlooked.
  • Instant escalation: Unlike Kerberoasting, which may take hours or days of cracking, this exploit grants immediate ticket issuance for the targeted high-privilege account.
  • Stealthy operation: The Kerberos tickets produced appear legitimate. Standard logs may show nothing more than normal ticket requests, making detection extremely difficult without advanced anomaly analysis.
  • Weaponized automation: SharpSuccessor packages every step into an easy-to-use tool, lowering the skill floor for would-be attackers.

Multiple cybersecurity firms have validated the attack chain, and red teams are already incorporating it into their assessments. “We’ve seen environments where 30% of OUs have overly permissive create rights,” one consultant noted. “That’s a huge attack surface.”

Immediate Mitigation Steps for Defenders

Microsoft has not yet released a formal patch, but administrators can take decisive action now to block the known exploit path. The following measures should be treated as urgent:

  1. Audit and Restrict OU Permissions
    Use PowerShell to enumerate OUs and their permissions:
    powershell Get-ADOrganizationalUnit -Filter * | Get-ADObject -Properties nTSecurityDescriptor
    Identify any non-administrative accounts that hold CreateChild or Write rights and remove them immediately. Where delegation is required, apply the principle of least privilege aggressively.

  2. Harden the dMSA Linkage Attribute
    Modify Access Control Lists (ACLs) on the msDS-ManagedAccountPrecededByLink attribute to deny write access to all but a tightly controlled group—ideally Domain Admins only. This can be scripted and enforced via Group Policy or regular compliance checks.

  3. Enable Credential Guard and Machine-Bound Authentication
    Credential Guard can restrict service account tokens to their intended host, making pass-the-ticket attacks harder. Deploy it on all servers hosting dMSAs, and monitor for cross-machine Kerberos traffic that deviates from normal patterns.

  4. Deploy Advanced Kerberos Monitoring
    Since the forged tickets are technically valid, traditional logging won’t suffice. Use SIEM rules to detect:
    - New dMSA objects appearing in unexpected OUs.
    - Unusual service ticket requests involving the krbtgt service.
    - Ticket requests that include the /dmsa flag (if such details are logged).

  5. Conduct Proactive Penetration Testing
    Engage a red team or use internal testing tools to simulate SharpSuccessor-style attacks. Confirm that your environment can detect and block each stage of the exploit chain.

  6. Stay Vigilant for Microsoft’s Patch
    Track the Microsoft Security Response Center (MSRC) portal for an official advisory and patch. Until a fix lands, consider disabling dMSA functionality in sensitive production domains, or at least strictly limiting its use to test environments.

The Bigger Picture: Active Directory Security Under Fire

The BadSuccessor vulnerability is the latest in a series of high-impact Active Directory flaws that have emerged in recent years. Zerologon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), and PetitPotam (CVE-2021-36942) each demonstrated how a single misconfiguration or implementation flaw could unravel an entire domain’s security. BadSuccessor fits this pattern, but with a new vector—exploiting a brand-new feature before most organizations have even had time to secure it.

“We’re seeing a troubling trend,” said a veteran incident responder. “New features are being introduced with insufficient adversarial testing. Attackers are quick to weaponize them, and defenders are left scrambling.” This exploit also underscores the fragility of attribute-based identity linking. When a single attribute can grant the full power of a Domain Admin, its protection must be absolute.

Microsoft’s Silence and What Comes Next

At the time of writing, Microsoft has acknowledged the risk but has not issued an official security bulletin, CVE number, or patch. Security researchers initially reported the flaw through responsible disclosure channels, and while the company investigates, the public availability of SharpSuccessor raises the stakes dramatically.

Historical precedent suggests that a fix will likely arrive in a future cumulative update for Windows Server 2025, possibly accompanied by a broader hardening of dMSA attribute validation. In the meantime, any organization running the new server operating system—whether in production or pre-production—should implement the mitigations outlined above without delay.

“The window of exposure is now,” warned a security architect at a Fortune 500 firm. “If you wait for the patch, you’re gambling that no adversary will point this tool at your domain. It’s not a risk worth taking.”

Conclusion

The release of SharpSuccessor transforms a theoretical privilege escalation flaw into a practical, push-button weapon against Windows Server 2025 domains. BadSuccessor is not merely a bug; it is a design-level vulnerability that exploits the very machinery meant to enforce service identity boundaries. For organisations that have already deployed or are piloting Windows Server 2025, this is a critical call to action.

By auditing OU permissions, locking down the vulnerable attribute, and enhancing Kerberos monitoring, defenders can significantly reduce the attack surface. But the deeper lesson is clear: every new feature must be treated as potentially hostile until proven otherwise. As Microsoft works on a patch, the security community must remain vigilant, sharing intelligence and hardening defenses against the next iteration of Active Directory attacks. The SharpSuccessor tool is out. Now it’s up to the blue teams to ensure it has no victims.