A critical design flaw in delegated Managed Service Accounts (dMSAs) in Windows Server 2025 could lead to severe security vulnerabilities. This flaw may allow attackers to access all managed service accounts and their resources indefinitely. Exploiting this flaw requires possession of a Key Distribution Service (KDS) root key, typically held by privileged accounts. The flaw simplifies brute-force password generation due to predictable time-based components within the password-generation structure. This vulnerability potentially enables lateral movement across domains and compromise of all associated service accounts.
The flaw can result in high-impact attacks, enabling cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely.
Successful exploitation could allow adversaries to sidestep authentication guardrails and generate passwords for all Delegated Managed Service Accounts (dMSAs) and group Managed Service Accounts (gMSAs) and their associated service accounts.
The attack leverages a critical design flaw: A structure that's used for the password-generation computation contains predictable time-based components with only 1,024 possible combinations, making brute-force password generation computationally trivial.
Described as the crown jewel of Microsoft's gMSA infrastructure, the KDS root key serves as a master key, allowing an attacker to derive the current password for any dMSA or gMSA account without having to connect to the domain controller.
Collection
[
|
...
]