Semperis discovers critical flaw in Windows Server 2025


By Dylan Bushell-Embling
Thursday, 17 July, 2025

Semperis discovers critical flaw in Windows Server 2025

Researchers from identity security company Semperis have discovered what they are calling a critical design flaw in Windows Server 2025 that has exposed managed service accounts to attacks from malicious actors.

The flaw can result in high-impact attacks enabling cross-domain lateral movement and indefinite access to all delegated managed service accounts (DMSA) across Active Directory.

Semperis researcher Adi Malyanker built a tool called GoldenDMSA that can exploit the vulnerability, enabling users to explore, evaluate and simulate how the technique may be leveraged in real-world environments.

The attack leverages a cryptographic vulnerability that can exploit the architectural foundation of DSMAs, the ManagedPasswordId structure, which contains predictable time-based components with only 1024 combinations, making brute-force password generation trivial.

“Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments,” Malyanker said. “I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat.”

Detection of Golden dMSA activity requires manual log configuration and auditing, making mitigation a complicated and difficult task. But to exploit the vulnerability, attackers must possess a KDS root key available only to only the most privileged accounts. As a result, Semperis has rated the vulnerability as having only a moderate risk.

Image credit: iStock.com/MF3d

Related News

Palo Alto seeks to redefine application security

Palo Alto Networks' new Cortex Cloud APSM solution is aimed at resolving security risks...

HPE unveils new security tools at Black Hat USA

HPE has introduced a range of new AI-driven security capabilities at the annual Black Hat USA...

CISA and Microsoft warn of "active attacks" on SharePoint

Alerts have been published warning of active attacks exploiting a remote code execution...


  • All content Copyright © 2025 Westwick-Farrow Pty Ltd