Semperis enhances DSP with indicators to detect and mitigate BadSuccessor exploits.
HOBOKEN, N.J., June 9, 2025 -- Semperis, a leader in AI-powered identity security and cyber resilience, today announced new detection capabilities in its Directory Services Protector (DSP) platform to defend against "BadSuccessor," a high-severity privilege escalation technique targeting a newly introduced feature in Windows Server 2025. The enhancements—developed in direct collaboration with the Akamai research team that discovered the vulnerability—enable organizations to detect and respond to exploitation attempts before attackers can escalate privileges and compromise the domain.
BadSuccessor exploits delegated Managed Service Accounts (dMSAs), a new Windows Server 2025 feature meant to improve service account security. Akamai researchers demonstrated how attackers can abuse dMSAs to impersonate high-privilege users in Active Directory (AD), including Domain Admins. No patch is currently available.
This high-severity exploitation vector underscores a long-standing challenge in enterprise identity security: managing service accounts. These accounts often operate with excessive or unmonitored privileges, creating hidden attack paths ripe for exploitation.
In response, Semperis updated its DSP platform with one new indicator of exposure (IOE) and three indicators of compromise (IOCs) to detect abnormal dMSA behavior. These indicators help security teams spot excessive delegation rights, malicious links between dMSAs and privileged accounts, and attempts to target sensitive accounts like KRBTGT.
"Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact," said Yuval Gordon, Security Researcher at Akamai. "The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call."
"Service accounts remain one of the least governed yet most powerful assets in enterprise environments," said Tomer Nahum, Security Researcher at Semperis. "This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit."
The vulnerability affects any organization with at least one domain controller running Windows Server 2025. Even a single misconfigured DC can introduce risk across the environment. Until a patch is released, organizations are urged to audit dMSA permissions and monitor for signs of misuse using enhanced detection tools like Semperis DSP.
To learn more about Semperis' BadSuccessor mitigation capabilities, visit the blog: https://www.semperis.com/blog/badsuccessor-how-to-detect-mitigate-dmsa-privilege-escalation/
About Semperis
Semperis protects critical enterprise identity services for security teams charged with defending hybrid and multi-cloud environments. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta—Semperis' AI-powered technology protects over 100 million identities from cyberattacks, data breaches, and operational errors.
As part of its mission to be a force for good, Semperis offers a variety of cyber community resources, including the award-winning Hybrid Identity Protection (HIP) Conference, HIP Podcast, and free identity security tools Purple Knight and Forest Druid. Semperis is a privately owned, international company headquartered in Hoboken, New Jersey, supporting the world's biggest brands and government agencies, with customers in more than 40 countries.
Learn more: https://www.semperis.com
Follow us: Blog / LinkedIn / X / Facebook / YouTube
This News is brought to you by Qube Mark, your trusted source for the latest updates and insights in marketing technology. Stay tuned for more groundbreaking innovations in the world of technology.
