Germany’s Federal Office for Information Security (BSI) is sounding the alarm about a critical unpatched vulnerability in Active Directory on Windows Server 2025. Microsoft initially estimated “moderate” severity, but the BSI has now raised it to 9.9 out of 10.
According to BSI, attackers can exploit a vulnerability in Microsoft Windows Server 2025 to increase their privileges. Active Directory is Microsoft’s centralized directory service for managing and securing user accounts, computers, and resources across a Windows network.
According to security researchers from Akamai, who previously publicly disclosed the flaw and dubbed it BadSuccessor, any user can be compromised in Active Directory by exploiting the delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025. It works with the default configuration and is “trivial to implement.”
“It allows any user who controls a dMSA object to control the entire domain. That’s all it takes. No actual migration. No verification. No oversight,” Akamai warned.
Golem.de found that BSI considers the flaw critical despite Microsoft classifying it as moderate and not even registering a CVE identifier.
“In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack,” Akamai said.
The situation sparked criticism for both the researchers’ decision to go public with the disclosure without a patch being available and Microsoft’s inability to properly assess the severity of the vulnerabilities.
Security expert Florian Roth warns that the vulnerability enables full domain compromise with the default configuration, yet there is no patch and no fix.
“Researchers published everything anyway. Because… ‘we respectfully disagree with Microsoft’s assessment.’ So yeah, let’s just drop an end-to-end domain takeover technique online to prove a point,” Roth said.
“In the end, both sides look bad. Microsoft, for being dysfunctional or apathetic. Researchers, for chasing clout over coordinated disclosure.”
#BadSuccessor - a textbook example of why the security ecosystem is broken
undefined Florian Roth ⚡️ (@cyb3rops) May 22, 2025
- A privilege escalation vuln in Windows Server 2025 AD (via dMSA)
- Full domain compromise with default config
- Microsoft was told, agreed it’s real, but rated it undefinedmoderateundefined
- No patch, No fix
- No code… pic.twitter.com/No7dysPzWR
However, Akamai pointed out in its report that Microsoft has reviewed its findings and approved the publication.
While Windows Server 2025 has been generally available since November 2024, it is not yet widely deployed. According to Roth, this makes “the real-world blast radius” limited.
The security expert criticizes Microsoft either for not correctly assessing the vulnerabilities or for no longer caring about on-premises Active Directory, focusing on sales of its cloud-based identity and access management service Entra ID.
While there is no formal patch, Akamai recommends that network defenders identify all principals (users, groups, computers) with permissions to create dMSAs across the domain and limit that permission to trusted administrators only.
Your email address will not be published. Required fields are markedmarked