Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighPublic exploit

BadSuccessor in Windows Kerberos dMSA

IdentifiersCVE-2025-53779CWE-23· Relative Path TraversalAlso known asbadsuccessor

CVE-2025-53779 is a Windows Kerberos elevation-of-privilege vulnerability, publicly referred to as BadSuccessor, affecting Active Directory environments that use delegated Managed Service Accounts (dMSAs), a feature introduced in Windows Server 2025. The issue is described by Microsoft as a relative path traversal flaw in Windows Kerberos. Supporting reporting indicates the practical exploitation path abuses dMSA migration/successor linkage handling so that the Key Distribution Center (KDC) can be induced to treat an attacker-controlled dMSA as the legitimate successor of an arbitrary target account. Pre-patch research cited in the content states that CreateChild on an OU or container was sufficient to create a dMSA with an arbitrary superseded-account target, using one-sided link manipulation to obtain the target account’s credentials. Microsoft’s patch reportedly added KDC-side validation requiring bidirectional links before issuing the credential package. Successful exploitation can result in compromise of highly privileged accounts, including Domain Admins and domain controllers.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables privilege escalation within Active Directory and can lead to full domain compromise. Multiple sources in the content state that an attacker can obtain domain administrator privileges by abusing Kerberos/dMSA successor handling. In operational terms, this can provide control of privileged identities, facilitate lateral movement, persistence, and broad administrative takeover of the domain.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, reduce exposure by restricting or auditing delegated rights such as CreateChild on OUs/containers and write access to dMSA-related attributes, especially msDS-ManagedAccountPrecededByLink and msDS-GroupMSAMembership as referenced in the content. Closely monitor for non-administrative dMSA creation and suspicious changes to dMSA linkage/authorization attributes. Limit use of dMSA where not required and review Active Directory delegations for paths that could let low-privilege users influence Kerberos successor relationships.

Remediation

Patch, then assume compromise.

Apply Microsoft’s security update for CVE-2025-53779. The content indicates Microsoft patched the issue by adding KDC-side validation that requires bidirectional links between the dMSA and the target account before issuing the relevant Kerberos credential package. Because the vulnerable functionality is tied to dMSA attributes introduced in Windows Server 2025, patching affected domain controllers/servers running that functionality is the primary remediation. Review delegated permissions that allow non-admin principals to create dMSAs or modify relevant dMSA migration-link attributes, and remove unnecessary rights.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app
Invoke-BadSuccessor.ps1MaturityPoCVerified exploit

This repository contains a PowerShell script, Invoke-BadSuccessor.ps1, and a README.md. The script is a fully automated exploit targeting the BadSuccessor vulnerability (CVE-2025-53779) in Windows Server 2025 Active Directory environments. It abuses misconfigured Delegated Managed Service Account (dMSA) creation rights in Organizational Units (OUs) to escalate privileges. The script identifies OUs where the attacker has CreateChild rights, creates or reuses a computer account and a dMSA, grants the attacker full control over the dMSA, and links it to a privileged account. It then provides post-exploitation instructions for forging Kerberos tickets using Rubeus, enabling impersonation of privileged users. The exploit requires the RSAT ActiveDirectory PowerShell module and is intended for use in environments where the attacker already has some level of access. The repository is well-documented, with the README providing detailed usage instructions, function descriptions, and post-exploitation steps. No external network endpoints are hardcoded; all operations are performed against the local Active Directory environment via the PowerShell AD provider and LDAP.

b5nullDisclosed Nov 19, 2025powershellmarkdownlocal
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows Server 2025operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

42 SOURCESView more in app
huntress blogNews
May 4, 2026
dMSA Ouroboros: Self-Sustaining Credential Extraction in Windows Server 2025 | Huntress

A patched Windows Server 2025 dMSA vulnerability in which one-sided link manipulation allowed creation of a dMSA with an arbitrary superseded account target, enabling the KDC to issue the target's credentials.

Read more
expel blogNews
Jan 14, 2026
Patch Tuesday: January 2026 (Expel’s version) | Expel

A Windows Kerberos elevation of privilege vulnerability reported as exploited.

Read more
cso onlineNews
Dec 30, 2025
Patch Tuesday 2025 roundup: The biggest Microsoft vulnerabilities of the year

A privilege escalation vulnerability in Kerberos (BadSuccessor) allowing any domain authenticated account to escalate privileges by spoofing tokens in Active Directory, potentially leading to domain admin compromise. Called a 'gift to ransomware operators.'

Read more
cyberthroneNews
Dec 28, 2025
Patching Became A Race in 2025: Microsoft Security Reckoning

A zero-day elevation of privilege vulnerability in Microsoft Kerberos, enabling attackers to escalate privileges and move laterally within domains.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity28

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-53779
NVD
nvd.nist.gov/vuln/detail/CVE-2025-53779
MITRE CWE · CWE-23
Relative Path Traversal
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779