Windows Server 2025 Golden dMSA Attack Enables Authentication Bypass and Password Generation

A critical design flaw in Microsoft’s latest Windows Server 2025 enables attackers to bypass authentication and generate passwords for all managed service accounts across enterprise networks.

The vulnerability, dubbed “Golden dMSA,” exploits a fundamental weakness in the newly introduced delegated Managed Service Accounts (dMSAs) that reduces complex cryptographic protections to a trivial brute-force attack requiring only 1,024 attempts.

Semperis Security Researcher Adi Malyanker discovered the vulnerability while analyzing the architecture of dMSAs, Microsoft’s flagship security innovation designed to revolutionize service account management in Windows Server 2025.

Unlike traditional service accounts that rely on static passwords vulnerable to Kerberoasting attacks, dMSAs were engineered to bind authentication directly to authorized machines in Active Directory, eliminating credential theft by tying authentication to device identity rather than user-managed passwords.

The Golden dMSA attack undermines this entire security model by exploiting a critical design flaw in the ManagedPasswordId structure used for password generation.

This structure contains predictable time-based components with only 1,024 possible combinations, making what should be computationally impossible into a straightforward brute-force operation that can be completed in minutes.

Windows Server 2025 Golden dMSA Attack

The attack follows a systematic four-phase approach that transforms a single domain controller compromise into forest-wide persistent access.

First, attackers extract cryptographic material from the Key Distribution Services (KDS) root key, which serves as the foundation for all managed service account passwords.

Next, they enumerate dMSA accounts throughout the Active Directory forest using specialized techniques that bypass restrictive Access Control Lists.

The third phase involves identifying the correct ManagedPasswordId attributes through targeted guessing, followed by password generation using specialized tools.

What makes this vulnerability particularly dangerous is its scope and persistence. The attack operates at the forest level, meaning a single successful KDS root key extraction enables cross-domain lateral movement and compromise of every dMSA account across all domains within that forest.

Since KDS root keys have no expiration date, this access could theoretically last indefinitely, creating a persistent backdoor that survives typical security rotations and updates.

Semperis rates this vulnerability as moderate risk because exploitation requires possession of a KDS root key, which is only accessible to the most privileged accounts: Domain Admins, Enterprise Admins, and SYSTEM-level access.

However, the researchers emphasize that the impact can be extremely high, enabling attackers to bypass modern protections like Credential Guard and fundamentally challenge the assumed security benefits of machine-bound authentication.

The attack is particularly concerning because it completely circumvents Microsoft’s intended authentication flow.

Instead of following normal dMSA authentication procedures that require machine identity validation, the Golden dMSA technique uses compromised cryptographic keys to generate valid passwords directly, rendering Credential Guard and similar protections irrelevant.

Detection of Golden dMSA activity presents significant challenges for enterprise security teams.

By default, no security events are logged when KDS root keys are compromised, requiring administrators to manually configure System Access Control Lists (SACLs) on KDS root key objects to audit read access.

This configuration gap makes the attack particularly stealthy and difficult to detect in real-time. The tool is available via GitHub.

Organizations can monitor for abnormal volumes of authentication requests targeting service accounts and unusual Ticket-Granting Ticket requests for dMSA accounts.

However, these indicators require sophisticated log analysis and may generate false positives in busy enterprise environments.

Microsoft acknowledged the vulnerability report submitted to the Microsoft Security Response Center on May 27, 2025. In their July 8, 2025, response, the company stated: “If you have the secrets used to derive the key, you can authenticate as that user. These features have never been intended to protect against a compromise of a domain controller.”

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now