Here’s a summary of the breaking news reported by Semperis about a critical design flaw, called Golden dMSA, affecting Windows Server 2025:
Golden dMSA is a critical design flaw found in Delegated Managed Service Accounts (dMSA) within Windows Server 2025. The flaw exposes Active Directory environments to serious security risks, including:
Read more: Semperis unveils critical design flaw in Windows 2025 — SourceSecurity.com
If you need recommendations for immediate steps, mitigation, or technical implementation guidance for detecting Golden dMSA exploits, let me know!
Source: SourceSecurity.com https://www.sourcesecurity.com/news/semperis-unveils-critical-design-flaw-windows-co-1686291773-ga.1752740199.html
Golden dMSA is a critical design flaw found in Delegated Managed Service Accounts (dMSA) within Windows Server 2025. The flaw exposes Active Directory environments to serious security risks, including:- Cross-domain lateral movement by attackers
- Persistent, undetected access to all managed service accounts and resources across the Active Directory
How does the attack work?
- The flaw centers around the “ManagedPasswordId” structure, which—due to predictable, time-based elements—has only 1,024 possible combinations. This makes brute-forcing the password for service accounts fast and easy for attackers.
- Exploiters can generate valid service account passwords, enabling undetected access and persistence.
Tools and Research
- Semperis researcher Adi Malyanker created a tool called “GoldenDMSA” to demonstrate and simulate how this attack technique can be exploited.
- The tool helps security teams understand, test, and prepare defenses for this emerging vulnerability.
Why is it critical?
- The vulnerability leverages fundamental cryptographic weaknesses in dMSAs, potentially defeating Microsoft’s new security controls in Windows Server 2025.
- Attackers can remain persistent in your environment, bypassing detection.
- Brute-forcing is computationally trivial due to the low number of combinations.
Action items for organizations
- Organizations using Windows Server 2025 should proactively assess their use of delegated Managed Service Accounts and their security postures.
- Employ new detection capabilities (like those in Semperis Directory Services Protector) and stay informed about further patches and mitigations from Microsoft.
Additional Context
- Semperis previously uncovered other significant vulnerabilities in Microsoft’s identity infrastructure, such as Silver SAML and nOauth, and continues to develop defensive tools as these threats emerge.
Read more: Semperis unveils critical design flaw in Windows 2025 — SourceSecurity.com
If you need recommendations for immediate steps, mitigation, or technical implementation guidance for detecting Golden dMSA exploits, let me know!
Source: SourceSecurity.com https://www.sourcesecurity.com/news/semperis-unveils-critical-design-flaw-windows-co-1686291773-ga.1752740199.html