IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Realistic server room with red highlighted vulnerable racks shadowy cyber threat
#
Advanced Persistent Threat Protection
#
IAM
#
Cybersecurity

Golden dMSA flaw in Windows Server 2025 exposes Active Directory

Yesterday
Author image
By Jed Nykolle Harme, Editor

Security researchers have identified a critical flaw in delegated Managed Service Accounts (dMSA) within Windows Server 2025 that could allow attackers to maintain persistent and widespread access across Active Directory environments.

Flaw found in dMSA

The vulnerability, uncovered by Semperis security researcher Adi Malyanker, has been termed the Golden dMSA attack. It takes advantage of a design issue in dMSAs, a security feature first introduced in Windows Server 2025, which can be misused by bad actors to gain ongoing access and elevate privileges across domains after compromising a forest-level account.

Malyanker developed a tool named GoldenDMSA to demonstrate and analyse the technique, enabling security practitioners to examine in detail how the attack could be executed in operational networks.

The research shows that the attack leverages a predictable element within the ManagedPasswordId structure of dMSAs. This identifier includes time-based components that, according to Semperis, present only 1,024 possible combinations. This low number of possibilities makes brute-force attacks on service account passwords computationally straightforward, potentially enabling a threat actor not only to persist in an Active Directory environment but also to move laterally across domains.

"Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments. I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat," said Malyanker.

Risk assessment and implications

Semperis has rated the risk associated with the Golden dMSA technique as moderate. However, the researchers warn that in cases where an attacker achieves initial forest-level compromise, the method could make it possible to completely take over dMSA or Group Managed Service Account (gMSA) environments. Successful exploitation would allow attackers to maintain control without detection for extended periods, posing a severe threat to corporate and governmental IT infrastructure.

The potential for widespread, persistent access stems from the architectural flaw in how dMSA passwords are generated and managed. By exploiting the weak cryptographic and structural protections, attackers could automate the generation of valid account credentials for managed service accounts, undermining protections intended to secure critical identity services.

Recent related work

The Golden dMSA research builds on previous work by Semperis in the field of identity threat detection. The group has reported on other vulnerabilities, such as nOauth, which affects Microsoft's Entra ID and may permit full account takeover in software-as-a-service applications.

Semperis has also implemented detection features in its Directory Services Protector platform to defend against BadSuccessor, another high-impact privilege escalation technique that targets a recently introduced functionality in Windows Server 2025. This comes in addition to the Silver SAML vulnerability discovered by the team, a new variant related to Golden SAML attacks from the SolarWinds incident, which can bypass conventional security measures in Entra ID-integrated applications.

Recommendations and industry impact

The research underscores the need for organisations using Windows Server 2025 and managed service accounts to carry out active risk assessments and update their security controls. Attackers exploiting weaknesses in dMSA structures could not only remain undetected but also have unrestricted access to valuable resources across a company's entire digital estate.

Industry observers and IT departments are expected to analyse the implications of the flaw, explore mitigation options, and consider how tools such as GoldenDMSA can be used by defenders to better understand and counteract these attack vectors. The ability to simulate attacks is viewed as a vital capability for defenders and researchers, supporting a more robust defensive posture against evolving identity-based threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Netskope One DSPM now available via AI Agents on AWS Marketplace
Check Point launches Quantum Spark 2500 firewalls for SMB security
F5 enhances AI data protection with real-time leak detection tools
KnowBe4 named a top workplace for 2025 in cybersecurity sector
Low trust in third-party vendors weakens UK digital resilience

Top stories

Octo Tempest targets airlines as Microsoft warns of new cyber risks
LogicMonitor launches Edwin AI for ITOps on AWS Marketplace
AI shifts from adviser to architect in enterprise decision-making
Bitdefender, Scale Computing partner to enhance edge security
Windows Server 2025 flaw lets attackers persist in Active Directory