Semperis researchers have uncovered a significant design flaw in Windows Server 2025, which poses a risk to managed service accounts. Dubbed ‘Golden dMSA’, this vulnerability could leave these accounts susceptible to undetected attacks, raising concerns about the security of resources across Active Directory.
Vulnerability details
The flaw specifically targets delegated Managed Service Accounts (dMSAs) within the latest iteration of Windows Server. According to Semperis, the implications of this vulnerability are profound, as it could grant attackers persistent access to these accounts without detection. This access may facilitate cross-domain lateral movement, potentially compromising a wide array of resources.
To aid in understanding and addressing this threat, researcher Adi Malyanker has developed a tool named GoldenDMSA. This innovative tool simulates the attack’s logic, allowing security professionals to better comprehend the risks associated with the vulnerability. By employing GoldenDMSA, defenders can assess how this technique might be exploited within their own environments.
Technical findings
The core of the Golden dMSA attack lies in a cryptographic flaw within the security features introduced in Windows Server 2025. The architectural design of dMSAs is exploited due to the predictability of the ManagedPasswordId structure, which contains time-based components. With only 1,024 possible combinations, attackers can easily brute-force service account passwords.
“Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments,” said Malyanker.
“I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat.”
This vulnerability allows threat actors to potentially traverse domains and maintain access over extended periods, evading traditional monitoring methods.
Industry context
The findings regarding Golden dMSA build upon Semperis’s previous work in identifying identity-related vulnerabilities. Notably, the company has also brought attention to a vulnerability known as nOauth in Microsoft’s Entra ID, which can lead to full account takeovers in certain vulnerable SaaS applications with minimal attacker interaction.
In the past year, Semperis has enhanced detection capabilities within its Directory Services Protector platform to combat BadSuccessor, a severe privilege escalation technique targeting a new feature in Windows Server 2025. Additionally, the team identified Silver SAML, a variant of the Golden SAML technique from the SolarWinds incident, which can bypass standard security defenses in applications integrated with Entra ID.
Recommendations and implications
In light of these findings, Semperis recommends that organizations utilizing Windows Server 2025 conduct proactive assessments of their managed service accounts and overall identity infrastructure. By grasping the mechanics of the newly disclosed attack and leveraging simulation tools like GoldenDMSA, security and IT teams can evaluate their exposure and devise appropriate mitigation strategies.
The discovery of Golden dMSA underscores the persistent challenges in identity and account management security, particularly as new features are integrated into widely used enterprise systems such as Active Directory. The predictability of password generation mechanisms, as highlighted by Malyanker’s research, emphasizes the critical nature of cryptographic design choices in authentication frameworks.
As Semperis continues its commitment to identity security research, the company urges the cybersecurity community to remain vigilant in the face of emerging issues stemming from changes in enterprise software architecture and security models.
