Bad Successor: The Service Account Flaw to Watch

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/87/c2/f8/87c2f8ef-8e03-63a6-264f-698f5239d96e/mza_17716733432111276097.jpg/600x600bb.jpg

Threat Talks - Your Gateway to Cybersecurity Insights

Threat Talks

103 episodes

6 days ago

Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats. We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals. Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!

Tech News

News

RSS

All content for Threat Talks - Your Gateway to Cybersecurity Insights is the property of Threat Talks and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Tech News

News

https://img.transistor.fm/YJoo7ELSPRSlZaTbf1s5LgvQWp8jLtW9g-OE1HgoR4M/rs:fill:0:0:1/w:1400/h:1400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNmZm/NmU5Y2NkYmNmNTlm/Mzk4OGI4MjM4OTUx/ZDQyOS5qcGc.jpg

Bad Successor: The Service Account Flaw to Watch

Threat Talks - Your Gateway to Cybersecurity Insights

17 minutes

4 weeks ago

Bad Successor: The Service Account Flaw to Watch

It was built to secure service accounts.
Instead, it became the cleanest privilege-escalation vector of 2025.

They called it Bad Successor (A.K.A. CVE-2025-53779).

A new “secure by design” feature in Windows Server 2025 -DMSA -was supposed to fix service account hygiene. Instead, it introduced a loophole where attackers could claim successor status, skip password requirements, and silently inherit elevated rights from any target account.

Including domain admin.

Even after Microsoft patched the issue, the deeper risk remains:
Service accounts are over-privileged, under-monitored, and dangerously trusted -and adversaries know it.

This isn’t a niche AD misconfiguration.

It’s a privilege-escalation design flaw hiding inside a security feature, and a warning shot for every environment leaning on default trust in the identity layer.

Watch host Rob Maas, Field CTO at ON2IT, and Luca Cipriano, CTI & Red Team Lead at ON2IT break down how Bad Successor works, how attackers exploited it, and what a Zero Trust AD strategy actually looks like in 2025.

(00:00) - Intro & why service accounts still matter
(00:46) - What are service accounts really for?
(01:31) - DMSA explained: Microsoft’s new managed service account
(02:56) - How DMSA migration works (the phone-migration analogy)
(04:40) - What is Bad Successor & why it matters
(08:00) - How widespread is this vulnerbility?
(11:42) - – Microsoft’s patch & post-patch stealth paths – is the patch working?
(14:03) - Defending AD: patching, OU permissions & logging
(15:23) - Is Bad Proccessor the biggest active directory attack in your tool box?

Key Topics Covered
• How a security upgrade became a privilege-escalation vector.
• Why service account security failures create invisible attack paths.
• The real DMSA abuse chain: child objects → successor claim → domain admin.
• Zero Trust defenses for AD: permissions, logging, rotation, least privilege.

Got your attention?
Subscribe to Threat Talks and turn on notifications for deep dives into the world’s leading cyber threats and trends.

Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/
Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/

Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams

Click here to view the episode transcript.

🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX