Sign up to save your podcasts
Or
Share Bad Successor: The Service Account Flaw to Watch
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Bad Successor: The Service Account Flaw to Watch
It was built to secure service accounts.
Instead, it became the cleanest privilege-escalation vector of 2025.
They called it Bad Successor (A.K.A. CVE-2025-53779).
A new “secure by design” feature in Windows Server 2025 -DMSA -was supposed to fix service account hygiene. Instead, it introduced a loophole where attackers could claim successor status, skip password requirements, and silently inherit elevated rights from any target account.
Including domain admin.
Even after Microsoft patched the issue, the deeper risk remains:
Service accounts are over-privileged, under-monitored, and dangerously trusted -and adversaries know it.
This isn’t a niche AD misconfiguration.
It’s a privilege-escalation design flaw hiding inside a security feature, and a warning shot for every environment leaning on default trust in the identity layer.
Watch host Rob Maas, Field CTO at ON2IT, and Luca Cipriano, CTI & Red Team Lead at ON2IT break down how Bad Successor works, how attackers exploited it, and what a Zero Trust AD strategy actually looks like in 2025.
- (00:00) - Intro & why service accounts still matter
Key Topics Covered
• How a security upgrade became a privilege-escalation vector.
• Why service account security failures create invisible attack paths.
• The real DMSA abuse chain: child objects → successor claim → domain admin.
• Zero Trust defenses for AD: permissions, logging, rotation, least privilege.
Got your attention?
Subscribe to Threat Talks and turn on notifications for deep dives into the world’s leading cyber threats and trends.
Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/
Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/
Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
Click here to view the episode transcript.
🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520
👕 Receive your Threat Talks T-shirt
https://threat-talks.com/
🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com
🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX
View all episodes
By Threat TalksIt was built to secure service accounts.
Instead, it became the cleanest privilege-escalation vector of 2025.
They called it Bad Successor (A.K.A. CVE-2025-53779).
A new “secure by design” feature in Windows Server 2025 -DMSA -was supposed to fix service account hygiene. Instead, it introduced a loophole where attackers could claim successor status, skip password requirements, and silently inherit elevated rights from any target account.
Including domain admin.
Even after Microsoft patched the issue, the deeper risk remains:
Service accounts are over-privileged, under-monitored, and dangerously trusted -and adversaries know it.
This isn’t a niche AD misconfiguration.
It’s a privilege-escalation design flaw hiding inside a security feature, and a warning shot for every environment leaning on default trust in the identity layer.
Watch host Rob Maas, Field CTO at ON2IT, and Luca Cipriano, CTI & Red Team Lead at ON2IT break down how Bad Successor works, how attackers exploited it, and what a Zero Trust AD strategy actually looks like in 2025.
- (00:00) - Intro & why service accounts still matter
Key Topics Covered
• How a security upgrade became a privilege-escalation vector.
• Why service account security failures create invisible attack paths.
• The real DMSA abuse chain: child objects → successor claim → domain admin.
• Zero Trust defenses for AD: permissions, logging, rotation, least privilege.
Got your attention?
Subscribe to Threat Talks and turn on notifications for deep dives into the world’s leading cyber threats and trends.
Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/
Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/
Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
Click here to view the episode transcript.
🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520
👕 Receive your Threat Talks T-shirt
https://threat-talks.com/
🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com
🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX