Windows Server 2025's delegated Managed Service Accounts have been impacted by a critical design vulnerability within its password-generation computation structure that could be leveraged for indefinite cross-domain lateral movement and persistence across managed service accounts and Active Directory resources through the new Golden dMSA attack technique, according to The Hacker News.
Malicious actors who have secured elevated privileges within a domain could launch the Golden dMSA attack to facilitate KDS root key material extraction via privilege escalation on domain controllers, dMSA account enumeration, ManagedPasswordID attribute and password hash discovery, and valid dMSA or gMSA password generation, a report from Semperis showed. Such a technique, which poses a significant persistence threat, indicates managed service accounts' "critical trust boundary," said Semperis researcher Adi Malyanker, who noted the possibility of the attack to allow a forest-wide persistent backdoor. "What starts as one DC compromise escalates to owning every dMSA-protected service across an entire enterprise forest. It's not just privilege escalation. It's enterprise-wide digital domination through a single cryptographic vulnerability," Malyanker added.
Malicious actors who have secured elevated privileges within a domain could launch the Golden dMSA attack to facilitate KDS root key material extraction via privilege escalation on domain controllers, dMSA account enumeration, ManagedPasswordID attribute and password hash discovery, and valid dMSA or gMSA password generation, a report from Semperis showed. Such a technique, which poses a significant persistence threat, indicates managed service accounts' "critical trust boundary," said Semperis researcher Adi Malyanker, who noted the possibility of the attack to allow a forest-wide persistent backdoor. "What starts as one DC compromise escalates to owning every dMSA-protected service across an entire enterprise forest. It's not just privilege escalation. It's enterprise-wide digital domination through a single cryptographic vulnerability," Malyanker added.
