The vulnerability, dubbed “Golden dMSA,” exploits a fundamental weakness in the newly introduced delegated Managed Service Accounts (dMSAs) that reduces complex cryptographic protections to a trivial brute-force attack requiring only 1,024 attempts. A critical design flaw in Microsoft’s latest Windows Server 2025 enables attackers to bypass authentication and generate passwords for all managed service accounts across enterprise networks. Instead of following normal dMSA authentication procedures that require machine identity validation, the Golden dMSA technique uses compromised cryptographic keys to generate valid passwords directly, rendering Credential Guard and similar protections irrelevant. Semperis Security Researcher Adi Malyanker discovered the vulnerability while analyzing the architecture of dMSAs, Microsoft’s flagship security innovation designed to revolutionize service account management in Windows Server 2025. Unlike traditional service accounts that rely on static passwords vulnerable to Kerberoasting attacks, dMSAs were engineered to bind authentication directly to authorized machines in Active Directory, eliminating credential theft by tying authentication to device identity rather than user-managed passwords. The Golden dMSA attack undermines this entire security model by exploiting a critical design flaw in the ManagedPasswordId structure used for password generation. By default, no security events are logged when KDS root keys are compromised, requiring administrators to manually configure System Access Control Lists (SACLs) on KDS root key objects to audit read access. However, the researchers emphasize that the impact can be extremely high, enabling attackers to bypass modern protections like Credential Guard and fundamentally challenge the assumed security benefits of machine-bound authentication. The attack operates at the forest level, meaning a single successful KDS root key extraction enables cross-domain lateral movement and compromise of every dMSA account across all domains within that forest. Next, they enumerate dMSA accounts throughout the Active Directory forest using specialized techniques that bypass restrictive Access Control Lists. Since KDS root keys have no expiration date, this access could theoretically last indefinitely, creating a persistent backdoor that survives typical security rotations and updates. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Semperis rates this vulnerability as moderate risk because exploitation requires possession of a KDS root key, which is only accessible to the most privileged accounts: Domain Admins, Enterprise Admins, and SYSTEM-level access. First, attackers extract cryptographic material from the Key Distribution Services (KDS) root key, which serves as the foundation for all managed service account passwords. Organizations can monitor for abnormal volumes of authentication requests targeting service accounts and unusual Ticket-Granting Ticket requests for dMSA accounts. Detection of Golden dMSA activity presents significant challenges for enterprise security teams.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Jul 2025 14:25:10 +0000