🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability.It allows compromising any user in AD, it works with the default config, and. Microsoft currently won't fix it 🤷‍♂️.Read Here -

RT @cybersaiyanIT: Another Monday. Another week of… endless emails, annoying meetings, and oh look, a three-headed monkey behind you!. Now….

RT @akamai_research: If you can't beat them, ban them 😏 . Malicious Cryptominers can be tough to dismantle - but we found a way. 👀 By explo….

RT @yo_yo_yo_jbo: פיד ישראל: מקומות שניתן לתרום להם בדולרים ויש להם חשבון ב benevity?.🇮🇱 אשמח אם תעזרו לי להפיץ את ההודעה.

The relevant section on our blog:

Many missed this on #BadSuccessor: it’s also a credential dumper. I wrote a simple PowerShell script that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.

RT @_logangoins: I'm super happy to announce an operationally weaponized version of @YuG0rd's BadSuccessor in .NET format! With a minimum o….

RT @JoeDibley2: We just released a new beta build for PingCastle on GitHub to detect the new BadSuccessor risk that @YuG0rd found!. https:/….

RT @jaredcatkinson: We did an analysis across participating customers & found that ~96% had > 1 user that has the necessary permissions to….

Given all of this, we believed it was in the best interest of defenders to share our findings openly and proactively.

Finally, we had little confidence that Microsoft would move quickly. The vulnerability was rated as “moderate” and we were given no timeline for a fix. That led us to believe a patch might not arrive for several months — if at all.

We were genuinely shocked by how easy this was to discover, and surprised no one else had already reported it. Since it hinges on newly introduced and currently unmonitored attributes, it’s entirely plausible that adversaries could have found and used it quietly.

Based on our data:.91% of organizations we examined had some low-privileged users who could exploit this issue — a meaningful risk. But fewer than 10% had any domain controllers running Windows Server 2025.

To exploit it, an attacker would first need access to a domain account with specific privileges. In other words, it’s a privilege escalation path with certain prerequisites - not an unauthenticated RCE.

Second, it’s important to clarify what this vulnerability actually enables. It does *not* allow an end-to-end domain takeover on its own.

First, Windows Server 2025 is still in early stages of adoption. Based on what we’ve seen, most organizations haven’t yet upgraded their domain controllers. That window presented a critical opportunity to raise awareness before widespread deployment.

Disclosing vulnerabilities always involves a careful tradeoff - there's potential for harm, but also for real benefit. In this case, we strongly believe that publishing this research creates a net positive impact for the security community.

We've heard feedback suggesting we should have waited to release details about BadSuccessor until Microsoft issued a patch. We want to explain why we made the decision to go public immediately.

RT @akamai_research: Today we unveil BadSuccessor - a new no-fix Active Directory privilege escalation technique. We will explore the rece….

7/ Microsoft confirmed the issue, but said it doesn't meet the bar for immediate servicing. So for now: it's live, it's silent, and it's dangerous.

6/ We named this attack BadSuccessor, because that's exactly what the dMSA becomes - the unintended heir to a high-privilege identity. A successor, with all the right keys.