Golden dMSA: Critical Windows Server 2025 Flaw Allows Full Active Directory Takeover
A newly discovered vulnerability in Windows Server 2025—dubbed Golden dMSA—poses a grave risk of widespread compromise across entire Active Directory infrastructures, according to a technical report published by enterprise cybersecurity firm Semperis.
The issue lies in the architecture of Delegated Managed Service Accounts (dMSA), introduced by Microsoft as a secure alternative to traditional service accounts. dMSA was designed to thwart Kerberoasting attacks, where threat actors extract service account password hashes from Kerberos tickets. This innovation restricts a service account to a specific domain-joined device, rendering credential theft or misuse from other machines virtually impossible.
However, researchers have uncovered a critical flaw in the password generation mechanism for dMSAs: it incorporates predictable components. Specifically, the initialization time is measured with second-level granularity, and the total number of possible combinations is limited to just 1,024—rendering brute-force attacks trivial, assuming access to the cryptographic seed material.
The heart of the vulnerability is the KDS root key—the master key of the Key Distribution Service, which underpins the entire gMSA and dMSA ecosystem. Possession of this key from any single domain controller enables an attacker to deterministically calculate the current passwords of all gMSA and dMSA accounts—without further need to query the domain controller. This transforms the exploit into a master key for lateral movement throughout the environment.
The Semperis team emphasizes that such an exploit grants persistent and undetectable access to any service within the domain or even the broader Active Directory forest. Alarmingly, even in environments with multiple root keys, Microsoft’s default behavior prioritizes the oldest key to maintain backward compatibility—effectively entrenching this vulnerability for the foreseeable future.
Executing the attack requires only one-time administrative access to a domain controller. With that, an adversary can extract the KDS root key, enumerate dMSA accounts using standard tools, identify relevant identifiers, and derive passwords. Armed with Kerberos tickets, they can impersonate service identities and access associated resources, with no need for ongoing privileged access—only that initial compromise.
Of particular concern is the fact that this technique completely bypasses Credential Guard, Microsoft’s flagship defense against the theft of NTLM hashes and Kerberos tickets. In essence, this attack circumvents every layer of protection Microsoft has implemented to safeguard domain credentials.
Microsoft, which was notified of the issue on May 27, 2025, acknowledged that compromise of the KDS root key would enable full recovery of all account credentials. The company clarified that its architecture was never designed to withstand full domain controller compromise.
Semperis has released an open-source tool demonstrating the Golden dMSA attack. According to the researchers, even a single successful breach can grant indefinite, undetected control over all services within a corporate network. This is not merely a privilege escalation—it is the wholesale takeover of an enterprise’s infrastructure.
