Critical Flaw in Windows Server 2025 exposed

Semperis has released new research detailing Golden dMSA, a critical design flaw active in delegated Managed Service Accounts (dMSAa) in Windows Server 2025. The flaw can result in high-impact attacks, enabling cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely.

To help further understanding of how this attack technique works in practice, Semperis Researcher Adi Malyanker built a tool called GoldenDMSA. The tool incorporates the logic of the attack, allowing users to efficiently explore, evaluate, and simulate how the technique may be exploited in real-world environments.

The Golden dMSA attack leverages a cryptographic vulnerability that can undermine Microsoft’s latest security innovation in Windows Server 2025. This technique exploits the architectural foundation of dMSAs. The attack leverages a critical design flaw: the ManagedPasswordId structure contains predictable time-based components with only 1,024 combinations, making brute-force password generation computationally trivial.

“Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments,” said Malyanker. “I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat.”

Semperis researchers, pioneers in identity threat detection, recently announced new research into nOauth, a known vulnerability in Microsoft’s Entra ID that enables full account takeover in vulnerable SaaS apps with minimal attacker effort. In addition, new detection capabilities were developed in the company’s Directory Services Protector platform to enable defense against BadSuccessor, a high-severity privilege escalation technique targeting a newly introduced feature in Windows Server 2025. Last year, Semperis researchers discovered Silver SAML, a new variant of the SolarWinds-era Golden SAML technique that bypasses standard defenses in Entra ID-integrated applications.