CVE-2025-53779 (BadSuccessor): Windows Kerberos Privilege Escalation
Overview
CVE-2025-53779, also known as “BadSuccessor”, is a newly disclosed network-based elevation-of-privilege vulnerability in Windows Kerberos. Patched in August 2025, this zero-day impacts Windows Server environments running Active Directory, specifically through the delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025.
CVE ID: CVE-2025-53779
CVSS Score: 7.2 (High)
Impact: Full compromise of confidentiality, integrity, and availability across affected domains
Status: Patched (August 2025 Patch Tuesday)
Exploitation in the Wild: None confirmed, but proof-of-concept code is available
Exploit Timeline
Early 2025 – Vulnerability discovered during security research into dMSA delegation.
July 2025 – Privately reported to Microsoft via MSRC.
August 12, 2025 – Patched as part of Patch Tuesday release.
August 13, 2025 – Public disclosure of CVE-2025-53779; dubbed “BadSuccessor.”
Mid-August 2025 – Proof-of-concept exploit code released publicly.
Current (August 2025) – No confirmed in-the-wild exploitation, but weaponization risk is high given AD value.
Attack Details & Impact
Attack Vector: Network-based, requiring an authenticated attacker with elevated Active Directory privileges.
Mechanism: Exploits improper validation of path inputs for dMSAs, focusing on attributes such as:
Result: Attackers can craft malicious delegation chains to impersonate privileged accounts (including domain admin), enabling domain-wide or cross-forest escalation.
Risks include:
Full Domain Compromise – attackers gain domain admin rights, disable monitoring, alter GPOs, and cover tracks.
Supply Chain Propagation – escalation may cross into partner or multi-forest environments.
Insider Abuse – malicious insiders with sufficient privileges can escalate with ease.
Affected Systems
All supported Windows Server versions with Kerberos enabled
Domain Controllers managing Kerberos and dMSA accounts
Environments leveraging Windows Server 2025 dMSAs
Microsoft estimates ~0.7% of Active Directory domains remain vulnerable. Risk increases significantly in organizations deploying dMSAs.
Comparison to Previous Kerberos Vulnerabilities
“BadSuccessor” fits into a broader history of Kerberos-related privilege escalation flaws:
CVE-2022-26923 “Certifried” – Exploited certificate mapping in Active Directory to escalate privileges and impersonate domain controllers.
CVE-2020-17049 “Bronze Bit” – Kerberos KDC vulnerability allowing attackers to bypass PAC signature validation.
CVE-2014-6324 (Golden Ticket / MS14-068) – Infamous bug where attackers could forge Kerberos tickets to gain domain admin rights.
What’s Different?
Unlike older flaws (ticket forgery, PAC bypass), CVE-2025-53779 abuses dMSA delegation paths, a relatively new feature in Windows Server 2025.
It highlights how new Active Directory features can introduce high-impact vulnerabilities, even if exploitation requires initial elevated privileges.
Defensive Measures
Patch Immediately – Deploy Microsoft’s August 2025 Patch Tuesday Kerberos update on all domain controllers and servers.
Audit dMSA Deployments – Review and limit delegated Managed Service Accounts. Validate account attributes and delegation chains.
Monitor for Anomalies – Configure SIEM/EDR to detect unusual delegation or privilege escalation attempts.
Restrict Privileges – Ensure only trusted admins can create or modify service accounts and delegation settings.
No practical mitigations exist for unpatched systems besides disabling dMSA — which may be operationally disruptive.
Closing Words
“BadSuccessor” represents a network-wide escalation path that bypasses traditional exploit chains. While Microsoft marks exploitation as less likely, the existence of PoC code and its high-value target (Active Directory) make this a priority vulnerability.
References
Last updated
Was this helpful?