Germany’s Federal Office for Information Security (BSI) has issued a high-severity warning over an unpatched security flaw in Microsoft Windows Server 2025, specifically affecting Active Directory. While Microsoft originally rated the issue as “moderate,” the BSI has escalated its severity rating to 9.9 out of 10, citing serious risks to enterprise environments.
Researchers Identify Exploitable Flaw in Active Directory via dMSA Feature
Security researchers from Akamai, who first disclosed the vulnerability and named it BadSuccessor, warn that attackers can exploit a default feature in Windows Server 2025—delegated Managed Service Accounts (dMSA)—to take full control of a domain.
“It allows any user who controls a dMSA object to control the entire domain. That’s all it takes. No actual migration. No verification. No oversight,”
Akamai stated.
BSI’s assessment follows technical analysis by Golem.de, confirming that the flaw works under default settings and does not require administrator-level access. In Akamai’s internal testing, 91% of reviewed environments had users outside the Domain Admins group with permissions that could be abused to perform the attack.
Despite the flaw’s critical nature, Microsoft has not assigned a CVE identifier or released a patch. Windows Server 2025 became generally available in November 2024 but has not yet seen widespread adoption.
Public Disclosure Without Patch Sparks Debate Over Security Practices
The decision to publish the full details of the vulnerability without a patch available has drawn criticism from the cybersecurity community. Security expert Florian Roth highlighted the risks of sharing a complete domain takeover method in a live environment.
“Researchers published everything anyway. Because… ‘we respectfully disagree with Microsoft’s assessment.’ So yeah, let’s just drop an end-to-end domain takeover technique online to prove a point,”
Roth wrote.
“In the end, both sides look bad. Microsoft, for being dysfunctional or apathetic. Researchers, for chasing clout over coordinated disclosure.”
Akamai defended its decision by stating that Microsoft had reviewed and approved the public disclosure. However, concerns remain over the absence of an official fix and Microsoft’s downplayed risk classification.
Roth further criticized Microsoft’s approach, questioning whether the company is deprioritizing on-premises Active Directory in favor of its cloud-based identity solution, Entra ID.
Mitigation Requires Restricting dMSA Permissions
Although no formal patch is available, Akamai has recommended that enterprise defenders audit and limit dMSA creation permissions. Organizations should identify all users, groups, and machines with the ability to create or modify delegated Managed Service Accounts and restrict this capability to trusted administrators only.
Until Microsoft issues an update, enterprises using Windows Server 2025 are urged to review their Active Directory configurations closely to minimize exposure.
