Clustered Points of Failure: Attacking Windows Server Failover Clusters
Black Hat USA 2025 · Day 1 · Briefings
Windows Server Failover Clustering (WSFC) introduces hidden Active Directory machine accounts — Cluster Name Objects (CNOs) and Virtual Cluster Objects (VCOs) — that share password material across every node in the cluster via LSASS, making node compromise equivalent to full cluster compromise. Misconfigured CNO permissions have created real-world paths from clustered service accounts to full domain compromise in enterprise environments, and the recently disclosed "Bad Successor" vulnerability dramatically raises the stakes. ---
AI review
Foster went digging into infrastructure nobody thinks about — and found domain compromise hiding in 34-year-old clustering tech. CNOs and VCOs sharing password material across every node via LSASS is a clean, real finding backed by actual enterprise telemetry. The Bad Successor tie-in transforms a "medium severity" misconfiguration into an immediate crisis.