Semperis announced new detection capabilities in its Directory Services Protector (DSP) platform to defend against "BadSuccessor," a high-severity privilege escalation technique targeting a newly introduced feature in Windows Server 2025. The enhancements-developed in direct collaboration with the Akamai research team that discovered the vulnerability-enable organizations to detect and respond to exploitation attempts before attackers can escalate privileges and compromise the domain. 

BadSuccessor exploits delegated Managed Service Accounts (dMSAs), a new Windows Server 2025 feature meant to improve service account security. Akamai researchers demonstrated how attackers can abuse dMSAs to impersonate high-privilege users in Active Directory (AD), including Domain Admins. No patch is currently available. 

This high-severity exploitation vector underscores a long-standing challenge in enterprise identity security: managing service accounts. These accounts often operate with excessive or unmonitored privileges, creating hidden attack paths ripe for exploitation. 

In response, Semperis updated its DSP platform with one new indicator of exposure (IOE) and three indicators of compromise (IOCs) to detect abnormal dMSA behavior. These indicators help security teams spot excessive delegation rights, malicious links between dMSAs and privileged accounts, and attempts to target sensitive accounts like KRBTGT. 

"Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact," said Yuval Gordon, Security Researcher at Akamai. "The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call." 

"Service accounts remain one of the least governed yet most powerful assets in enterprise environments," said Tomer Nahum, Security Researcher at Semperis. "This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit." 

The vulnerability affects any organization with at least one domain controller running Windows Server 2025. Even a single misconfigured DC can introduce risk across the environment. Until a patch is released, organizations are urged to audit dMSA permissions and monitor for signs of misuse using enhanced detection tools like Semperis DSP.