Semperis has announced new detection features in its Directory Services Protector (DSP) platform to guard against a critical security flaw in Windows Server 2025. The vulnerability, known as “BadSuccessor,” allows attackers to escalate privileges by exploiting a new feature called delegated Managed Service Accounts (dMSAs).
The update was developed in collaboration with Akamai, whose research team first uncovered the flaw. With no official patch currently available, these new capabilities offer a practical way for organisations to monitor and detect suspicious activity before a compromise can take place.
Exposing a flaw in service account delegation
The BadSuccessor vulnerability targets dMSAs, a feature introduced in Windows Server 2025 intended to strengthen service account security. However, Akamai researchers discovered that attackers can exploit dMSAs to impersonate high-privilege Active Directory users, including Domain Admins. This can be done without triggering alerts and without requiring an available patch.
The flaw highlights a broader issue in enterprise identity security: poor governance of service accounts. These accounts are often configured with excessive privileges or left unmonitored, giving attackers a hidden path to escalate access and move laterally across networks.
“The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call,” said Yuval Gordon, Security Researcher at Akamai. “Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact.”
New detection features added to Semperis DSP
In response to the vulnerability, Semperis has introduced one new Indicator of Exposure (IOE) and three Indicators of Compromise (IOCs) to its DSP platform. These updates are designed to help security teams identify abnormal behaviour linked to dMSAs.
The indicators focus on detecting excessive delegation rights, suspicious associations between dMSAs and privileged accounts, and attempts to manipulate sensitive accounts such as KRBTGT, which handles authentication tickets in Active Directory.
Tomer Nahum, Security Researcher at Semperis, said, “Service accounts remain one of the least governed yet most powerful assets in enterprise environments. This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit.”
Call for proactive defence until a patch is available
The vulnerability affects any organisation running at least one domain controller on Windows Server 2025. Even a single misconfigured server could expose the entire environment to risk. While Microsoft has not yet issued a fix, Semperis and Akamai are urging organisations to take immediate action.
Until a patch is released, businesses are advised to audit their dMSA configurations and use updated detection platforms such as Semperis DSP to monitor for signs of misuse. The swift collaboration between security vendors and researchers is seen as a positive step in addressing identity-based threats before they cause widespread damage.
