Semperis, a leader in identity security, has uncovered a critical design flaw in Windows Server 2025 that exposes Delegated Managed Service Accounts (dMSAs) to a high-impact attack known as "Golden dMSA." This vulnerability enables attackers to perform cross-domain lateral movements and maintain persistent access to all dMSAs across Active Directory environments.
The Golden dMSA attack exploits a cryptographic weakness within the ManagedPasswordId structure of dMSAs. This structure contains predictable time-based components with only 1,024 possible combinations, making brute-force password generation computationally trivial. By leveraging this flaw, attackers can generate service account passwords and persist undetected within Active Directory environments. (semperis.com)
To demonstrate and facilitate understanding of this attack, Semperis researcher Adi Malyanker developed a tool called GoldenDMSA. This tool incorporates the attack's logic, allowing users to explore, evaluate, and simulate how the technique may be exploited in real-world scenarios. Malyanker emphasized the importance of proactive assessment, stating, "Organizations should proactively assess their systems to stay ahead of this emerging threat." (semperis.com)
Detection of Golden dMSA activity is challenging, as it requires manual log configuration and auditing. Mitigation is further complicated by the necessity for attackers to possess a Key Distribution Service (KDS) root key, which is typically accessible only to highly privileged accounts such as Domain Admins, Enterprise Admins, and SYSTEM. Consequently, Semperis has rated the vulnerability as moderate risk. (semperis.com)
This discovery underscores the critical importance of securing managed service accounts and highlights the need for organizations to implement robust monitoring and auditing practices to detect and mitigate potential exploitation of such vulnerabilities.
Source: Technology Decisions Semperis discovers critical flaw in Windows Server 2025
