Semperis, a pioneer in AI-powered identity security and cyber resilience, announced new detection capabilities in its Directory Services Protector (DSP) platform to defend against “BadSuccessor,” a high-severity privilege escalation technique targeting a newly introduced feature in Windows Server 2025.
The enhancements-developed in direct collaboration with the Akamai research team that discovered the vulnerability-enable organisations to detect and respond to exploitation attempts before attackers can escalate privileges and compromise the domain.
How attackers can abuse dMSAs
Akamai researchers showed how attackers can abuse dMSAs to impersonate high-privilege users
BadSuccessor exploits delegated Managed Service Accounts (dMSAs), a new Windows Server 2025 feature meant to improve service account security.
Akamai researchers demonstrated how attackers can abuse dMSAs to impersonate high-privilege users in Active Directory (AD), including Domain Admins, without any patch currently available.
Challenge in enterprise identity security
This high-severity exploitation vector underscores a long-standing challenge in enterprise identity security: managing service accounts. These accounts often operate with excessive or unmonitored privileges, creating hidden attack paths ripe for exploitation.
In response, Semperis updated its DSP platform with one new Indicator of Exposure (IOE) and three Indicators of Compromise (IOCs) to detect abnormal dMSA behaviour.
Real-world detection capabilities
These indicators help security teams spot undue delegation rights, malicious linkages between dMSAs
These indicators help security teams spot excessive delegation rights, malicious linkages between dMSAs and privileged accounts, and attempts to target sensitive accounts like KRBTGT.
"Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact," said Yuval Gordon, Security Researcher at Akamai. "The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call."
Collaboration with Akamai
“Service accounts remain one of the least governed yet most powerful assets in enterprise environments,” said Tomer Nahum, Security Researcher at Semperis.
“This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit.”
Audit dMSA permissions
The vulnerability affects any organisation with at least one domain controller running Windows Server 2025. Even a single misconfigured DC can introduce risk across the environment.
Until a patch is released, organisations are urged to audit dMSA permissions and monitor for signs of misuse using enhanced detection tools like Semperis DSP.