Here’s a summary of the critical findings from Semperis regarding Windows Server 2025 and the new design flaw:
Golden dMSA Flaw Overview
What is Golden dMSA?
Golden dMSA is a critical design flaw in delegated Managed Service Accounts (dMSA) in Windows Server 2025.
It allows attackers to generate managed service account passwords and maintain undetected persistence in Active Directory environments.
How is the attack possible?
The vulnerability stems from the ManagedPasswordId structure, which uses predictable time-based components—only 1,024 possible combinations.
This predictability makes brute-force attacks trivial, letting threat actors quickly generate valid passwords and gain cross-domain lateral movement.
Implications
Attackers can exploit this flaw to access all managed service accounts and their resources, persisting across the Active Directory environment indefinitely, making it especially dangerous.
Tool: GoldenDMSA
Semperis researcher Adi Malyanker built the GoldenDMSA tool to help defenders understand, simulate, and evaluate how this attack works.
The tool is designed for researchers and defenders to assess the practical risk in real-world environments.
Additional Research and Defense
Semperis also explored:
nOauth Flaw: A vulnerability allowing account takeover in Microsoft Entra ID-integrated SaaS apps.
BadSuccessor Detection: Privilege escalation in new Windows Server 2025 features.
Silver SAML: A variant of the SolarWinds-era Golden SAML attack, bypassing Entra ID application defenses.
New detection capabilities against these threats have been integrated into Semperis’s Directory Services Protector platform.
Recommendations
Organizations should evaluate their use of dMSAs, update configurations, monitor for unusual activities, and consider deploying tools like GoldenDMSA for defense assessment.
Proactive assessment is critical to staying ahead of attackers exploiting these emerging vulnerabilities.