Bad Successor: The Service Account Flaw to Watch
Find Threat Talks on
Bad Successor: The Service Account Flaw to Watch
Windows Server 2025 introduced DMSA – a “secure by design” upgrade meant to modernize service accounts.
Instead, it opened one of the cleanest privilege-escalation paths in Active Directory.
The flaw became known as Bad Successor. (A.K.A. CVE-2025-53779).
With one common OU permission, attackers could create a new managed service account, mark it as a “successor,” and instantly inherit the rights of any target account – including domain admin.
No password cracking. No lateral movement. Just silent identity takeover.
Microsoft patched the core vulnerability, but the deeper issue remains:
service accounts are still over-privileged, under-monitored, and quietly trusted, making them a perfect entry point for attackers.
Hosts Rob Maas, Field CTO at ON2IT and Luca Cipriano, CTI & Red Team Lead at ON2IT, explain how Bad Successor worked, how attackers exploited DMSA migration, and what Zero Trust for AD should look like in 2025.
What you’ll learn:
• How a “secure” service account feature created a hidden escalation path
Why DMSA introduced successor logic attackers could hijack.
• The real attack chain: from OU permissions to domain admin
How create-child permissions and DMSA inheritance become a silent identity takeover.
• Why service accounts are one of the most dangerous trust gaps in AD
Over-privileged, forgotten, and rarely monitored.
• How Microsoft’s patch works – and what it didn’t fix
Why post-patch environments can still face stealthy identity escalation.
• Zero Trust for Active Directory
Least privilege, attribute-change alerts, OU hardening, logging, and service account hygiene.
This isn’t about one feature.
It’s about what happens when identity trust is assumed – not verified.
Your cybersecurity experts
Luca Cipriano
Red Team & Cyber Threat Intelligence Program Lead
ON2IT
Rob Maas
Field CTO
ON2IT
Episode details
It started with a hardening feature – and ended as a privilege-escalation path hiding in plain sight.
DMSA was designed to modernize service account hygiene with automatic rotation and Kerberos-based credential retrieval.
But its migration model introduced a dangerous side effect:
a new account could declare itself the “successor” of an existing one, inheriting all of its rights.
Once attackers gained a foothold with a standard domain user – something they often have – all they needed was a single common permission in an OU:
Create child objects.
With that, they could create a DMSA, set its successor attributes, and act as the target account without ever knowing its password.
The escalation didn’t stop there.
By requesting Kerberos tickets (TGT/TGS), attackers could operate entirely as domain admin – silently, remotely, and with no need to modify the original credentials.
Even after the patch, environments with over-trusted service accounts and weak OU boundaries remain exposed to similar stealth paths.
Bad Successor wasn’t a one-off mistake.
It was a symptom of a broader problem: identity systems built on trust instead of verification.
The playbook for defense:
1. Patch immediately – but don’t stop there
The patch closes the direct exploit, not the structural risk.
2. Harden service account privileges
Remove unnecessary rights and monitor successor-related attributes.
3. Restrict who can create child objects in OUs
In most organizations, far too many users have this ability.
4. Log and alert on DMSA creation and attribute changes
These events should never go unnoticed.
5. Apply Zero Trust to Active Directory
Least privilege, event visibility, identity verification – everywhere.
Bad Successor wasn’t just a vulnerability.
It was a reminder: identity is the real perimeter.
Protect it accordingly.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
