It was built to secure service accounts.Instead, it became the cleanest privilege-escalation vector of 2025.They called it Bad Successor (A.K.A. CVE-2025-53779).A new “secure by design” feature in Windows Server 2025 -DMSA -was supposed to fix service account hygiene. Instead, it introduced a loophole where attackers could claim successor status, skip password requirements, and silently inherit elevated rights from any target account.Including domain admin.Even after Microsoft patched the issue, the deeper risk remains:Service accounts are over-privileged, under-monitored, and dangerously trusted -and adversaries know it.This isn’t a niche AD misconfiguration.It’s a privilege-escalation design flaw hiding inside a security feature, and a warning shot for every environment leaning on default trust in the identity layer.Watch host Rob Maas, Field CTO at ON2IT, and Luca Cipriano, CTI & Red Team Lead at ON2IT break down how Bad Successor works, how attackers exploited it, and what a Zero Trust AD strategy actually looks like in 2025.(00:00) - Intro & why service accounts still matter

(00:46) - What are service accounts really for?

(01:31) - DMSA explained: Microsoft’s new managed service account

(02:56) - How DMSA migration works (the phone-migration analogy)

(04:40) - What is Bad Successor & why it matters

(08:00) - How widespread is this vulnerbility?

(11:42) - – Microsoft’s patch & post-patch stealth paths – is the patch working?

(14:03) - Defending AD: patching, OU permissions & logging

(15:23) - Is Bad Proccessor the biggest active directory attack in your tool box?
Key Topics Covered• How a security upgrade became a privilege-escalation vector.• Why service account security failures create invisible attack paths.• The real DMSA abuse chain: child objects → successor claim → domain admin.• Zero Trust defenses for AD: permissions, logging, rotation, least privilege.Got your attention?Subscribe to Threat Talks and turn on notifications for deep dives into the world’s leading cyber threats and trends.Guest and Host Links:Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/Additional ResourcesThreat Talks: https://threat-talks.com/ON2IT (Zero Trust as a Service): https://on2it.net/AMS-IX: https://www.ams-ix.net/amsClick here to view the episode transcript.
🔔 Follow and Support our channel! 🔔=== ► YOUTUBE: https://youtube.com/@ThreatTalks► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520👕 Receive your Threat Talks T-shirthttps://threat-talks.com/🗺️ Explore the Hack's Route in Detail 🗺️https://threat-talks.com🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

Ver todos los episodios