Here’s a summary of the critical flaw "Golden dMSA" in Windows Server 2025 reported by Semperis:
What is Golden dMSA?
Golden dMSA is a newly discovered, critical design flaw in delegated Managed Service Accounts (dMSA) on Windows Server 2025.
Discovered by: Semperis, a security research and identity security solutions firm.
Why is it Dangerous?
Impact: It enables attackers to achieve cross-domain lateral movement and maintain persistent, stealthy access to every managed service account and their connected resources in Active Directory.
Mechanism: The flaw centers around the ManagedPasswordId structure, which relies on predictable, time-based elements — just 1,024 combinations — making brute-force generation of passwords very easy.
Result: Attackers can essentially “crack” the passwords for these accounts, gaining ongoing, undetected access.
Attack Method & Tools
Research tool: Semperis researcher Adi Malyanker developed “GoldenDMSA,” a tool that demonstrates and simulates this attack pattern for security testing and validation.
Technical Details
The vulnerability exploits a cryptographic weakness in Microsoft’s implementation for dMSAs, undermining what was supposed to be a security innovation in Server 2025.
Attackers can generate these service account passwords quickly, "persisting undetected" in directory environments.
Defensive Actions
Recommendation: Organizations should proactively review their environments to assess the presence and exposure of dMSA accounts, and monitor for any suspicious use or changes involving these credentials.
Semperis Solutions: The company has introduced new detection capabilities in its Directory Services Protector platform.
Related Research
Semperis has also publicized vulnerabilities like nOauth (impacting Microsoft Entra ID account takeovers) and Silver SAML (bypassing safeguards in Entra ID-integrated apps).
If you need official mitigations, proof-of-concept details, or links to research tools, let me know! Would you like guidance on detecting or defending against Golden dMSA?