Share
The avforums podcast brings you the latest tech, movie and gaming news, plus special features, interviews and show reports from the world of audio visual home entertainment
…
continue reading
Manage episode 523402597 series 3682930
Content provided by Threat Talks. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Threat Talks or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://staging.podcastplayer.com/legal.
It was built to secure service accounts.
Instead, it became the cleanest privilege-escalation vector of 2025.
They called it Bad Successor (A.K.A. CVE-2025-53779).
A new “secure by design” feature in Windows Server 2025 -DMSA -was supposed to fix service account hygiene. Instead, it introduced a loophole where attackers could claim successor status, skip password requirements, and silently inherit elevated rights from any target account.
Including domain admin.
Even after Microsoft patched the issue, the deeper risk remains:
Service accounts are over-privileged, under-monitored, and dangerously trusted -and adversaries know it.
This isn’t a niche AD misconfiguration.
It’s a privilege-escalation design flaw hiding inside a security feature, and a warning shot for every environment leaning on default trust in the identity layer.
Watch host Rob Maas, Field CTO at ON2IT, and Luca Cipriano, CTI & Red Team Lead at ON2IT break down how Bad Successor works, how attackers exploited it, and what a Zero Trust AD strategy actually looks like in 2025.
- (00:00) - Intro & why service accounts still matter
- (00:46) - What are service accounts really for?
- (01:31) - DMSA explained: Microsoft’s new managed service account
- (02:56) - How DMSA migration works (the phone-migration analogy)
- (04:40) - What is Bad Successor & why it matters
- (08:00) - How widespread is this vulnerbility?
- (11:42) - – Microsoft’s patch & post-patch stealth paths – is the patch working?
- (14:03) - Defending AD: patching, OU permissions & logging
- (15:23) - Is Bad Proccessor the biggest active directory attack in your tool box?
Key Topics Covered
• How a security upgrade became a privilege-escalation vector.
• Why service account security failures create invisible attack paths.
• The real DMSA abuse chain: child objects → successor claim → domain admin.
• Zero Trust defenses for AD: permissions, logging, rotation, least privilege.
Got your attention?
Subscribe to Threat Talks and turn on notifications for deep dives into the world’s leading cyber threats and trends.
Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/
Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/
Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
Click here to view the episode transcript.
🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520
👕 Receive your Threat Talks T-shirt
https://threat-talks.com/
🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com
🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX
100 episodes
))
