Here’s a summary of the breaking news reported by Semperis about a critical design flaw, called Golden dMSA, affecting Windows Server 2025:
What is Golden dMSA?
Golden dMSA is a critical design flaw found in Delegated Managed Service Accounts (dMSA) within Windows Server 2025. The flaw exposes Active Directory environments to serious security risks, including:
Cross-domain lateral movement by attackers
Persistent, undetected access to all managed service accounts and resources across the Active Directory
How does the attack work?
The flaw centers around the “ManagedPasswordId” structure, which—due to predictable, time-based elements—has only 1,024 possible combinations. This makes brute-forcing the password for service accounts fast and easy for attackers.
Exploiters can generate valid service account passwords, enabling undetected access and persistence.
Tools and Research
Semperis researcher Adi Malyanker created a tool called “GoldenDMSA” to demonstrate and simulate how this attack technique can be exploited.
The tool helps security teams understand, test, and prepare defenses for this emerging vulnerability.
Why is it critical?
The vulnerability leverages fundamental cryptographic weaknesses in dMSAs, potentially defeating Microsoft’s new security controls in Windows Server 2025.
Attackers can remain persistent in your environment, bypassing detection.
Brute-forcing is computationally trivial due to the low number of combinations.
Action items for organizations
Organizations using Windows Server 2025 should proactively assess their use of delegated Managed Service Accounts and their security postures.
Employ new detection capabilities (like those in Semperis Directory Services Protector) and stay informed about further patches and mitigations from Microsoft.
Additional Context
Semperis previously uncovered other significant vulnerabilities in Microsoft’s identity infrastructure, such as Silver SAML and nOauth, and continues to develop defensive tools as these threats emerge.