Semperis discovers critical flaw in Windows Server 2025

Researchers from identity security company Semperis have discovered what they are calling a critical design flaw in Windows Server 2025 that has exposed managed service accounts to attacks from malicious actors.

The flaw can result in high-impact attacks enabling cross-domain lateral movement and indefinite access to all delegated managed service accounts (DMSA) across Active Directory.

Semperis researcher Adi Malyanker built a tool called GoldenDMSA that can exploit the vulnerability, enabling users to explore, evaluate and simulate how the technique may be leveraged in real-world environments.

The attack leverages a cryptographic vulnerability that can exploit the architectural foundation of DSMAs, the ManagedPasswordId structure, which contains predictable time-based components with only 1024 combinations, making brute-force password generation trivial.

“Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments,” Malyanker said. “I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat.”

Detection of Golden dMSA activity requires manual log configuration and auditing, making mitigation a complicated and difficult task. But to exploit the vulnerability, attackers must possess a KDS root key available only to only the most privileged accounts. As a result, Semperis has rated the vulnerability as having only a moderate risk.

Image credit: iStock.com/MF3d