SharpSuccessor: PoC for Exploiting BadSuccessor Vulnerability in Windows Server 2025

A proof-of-concept exploit tool called SharpSuccessor that weaponizes the recently discovered BadSuccessor vulnerability in Windows Server 2025’s delegated Managed Service Account (dMSA) feature. 

The .NET-based tool, developed by Logan Goins, demonstrates how attackers with minimal Active Directory permissions can escalate privileges to the domain administrator level, raising serious concerns about the unpatched vulnerability affecting enterprise environments worldwide.

Exploiting dMSA Architecture

The BadSuccessor vulnerability, initially discovered by Akamai researcher Yuval Gordon, exploits the dMSA migration mechanism by manipulating two critical attributes: msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState. 

SharpSuccessor automates this attack vector by creating a malicious dMSA object and setting it to impersonate any target account, including highly privileged Domain Administrator accounts.

The tool requires only CreateChild permissions over any Organizational Unit (OU) in the Active Directory domain to function. 

Attackers can execute the initial payload using the command: SharpSuccessor.exe add /impersonate:Administrator /path:”ou=test,dc=lab,dc=lan” /account:jdoe /name:attacker_dMSA. 

This command creates a weaponized dMSA that inherits all permissions from the targeted account without requiring direct access to the original user object.

Multi-Stage Kerberos Authentication Chain

SharpSuccessor implements a sophisticated multi-stage attack chain leveraging Kerberos authentication protocols. 

After creating the malicious dMSA, attackers must first obtain a Ticket Granting Ticket (TGT) using Rubeus with the command Rubeus.exe tgtdeleg /nowrap. This initial authentication establishes the foundation for subsequent privilege escalation.

The second stage involves impersonating the dMSA account through the command Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/lab.lan /opsec /dmsa /nowrap /ptt /ticket:[base64_ticket]. 

This operation grants the attacker a service ticket with the target user’s privileges, effectively bypassing traditional Active Directory security controls. 

The final step enables access to domain controllers using Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/[DC_FQDN] /opsec /dmsa /nowrap /ptt, providing SMB access for post-exploitation activities.

Research indicates that 91% of examined Active Directory environments contain non-administrative users with sufficient permissions to execute the BadSuccessor attack. 

This extensive exposure stems from the vulnerability’s reliance on commonly granted OU permissions rather than high-privilege account access. 

The attack remains viable even in environments not actively using dMSAs, provided at least one Windows Server 2025 domain controller exists in the domain.

Microsoft has acknowledged the vulnerability but classified it as “moderate severity,” determining it does not meet the threshold for immediate patching. 

This decision leaves organizations vulnerable until an official fix becomes available. Security experts recommend implementing Akamai’s detection script Get-BadSuccessorOUPermissions.ps to identify at-risk organizational units and restricting dMSA creation permissions to trusted administrators only.

The release of SharpSuccessor underscores the critical need for proactive security measures, as the tool transforms a complex privilege escalation technique into an easily deployable attack vector accessible to less sophisticated threat actors.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

The post SharpSuccessor: PoC for Exploiting BadSuccessor Vulnerability in Windows Server 2025 appeared first on Cyber Security News.