• Thread Author
Here’s a summary of the breaking news reported by Semperis about a critical design flaw, called Golden dMSA, affecting Windows Server 2025:

Server racks with glowing security shield icons symbolizing cybersecurity protection.What is Golden dMSA?​

Golden dMSA is a critical design flaw found in Delegated Managed Service Accounts (dMSA) within Windows Server 2025. The flaw exposes Active Directory environments to serious security risks, including:
  • Cross-domain lateral movement by attackers
  • Persistent, undetected access to all managed service accounts and resources across the Active Directory

How does the attack work?​

  • The flaw centers around the “ManagedPasswordId” structure, which—due to predictable, time-based elements—has only 1,024 possible combinations. This makes brute-forcing the password for service accounts fast and easy for attackers.
  • Exploiters can generate valid service account passwords, enabling undetected access and persistence.

Tools and Research​

  • Semperis researcher Adi Malyanker created a tool called “GoldenDMSA” to demonstrate and simulate how this attack technique can be exploited.
  • The tool helps security teams understand, test, and prepare defenses for this emerging vulnerability.

Why is it critical?​

  • The vulnerability leverages fundamental cryptographic weaknesses in dMSAs, potentially defeating Microsoft’s new security controls in Windows Server 2025.
  • Attackers can remain persistent in your environment, bypassing detection.
  • Brute-forcing is computationally trivial due to the low number of combinations.

Action items for organizations​

  • Organizations using Windows Server 2025 should proactively assess their use of delegated Managed Service Accounts and their security postures.
  • Employ new detection capabilities (like those in Semperis Directory Services Protector) and stay informed about further patches and mitigations from Microsoft.

Additional Context​

  • Semperis previously uncovered other significant vulnerabilities in Microsoft’s identity infrastructure, such as Silver SAML and nOauth, and continues to develop defensive tools as these threats emerge.
Reference:
Read more: Semperis unveils critical design flaw in Windows 2025 — SourceSecurity.com
If you need recommendations for immediate steps, mitigation, or technical implementation guidance for detecting Golden dMSA exploits, let me know!

Source: SourceSecurity.com https://www.sourcesecurity.com/news/semperis-unveils-critical-design-flaw-windows-co-1686291773-ga.1752740199.html
 

Back
Top