Golden dMSA Flaw Exposes Firms to Major Credential Theft

A critical cryptographic flaw in Windows Server 2025’s delegated Managed Service Accounts (dMSAs) allows attackers to generate passwords for all managed service accounts across an Active Directory forest. This “Golden dMSA” attack exploits a predictable time-based component in the ManagedPasswordId structure, enabling attackers to bypass traditional protections and gain persistent access to the entire forest. Microsoft acknowledged the vulnerability but stated the feature was not designed to defend against domain controller breaches.