Latest news with #WindowsServer2025
Techday NZ
17-07-2025
- Business
- Techday NZ
Windows Server 2025 flaw lets attackers persist in Active Directory
Semperis researchers have identified a design flaw in Windows Server 2025 that could leave managed service accounts vulnerable to undetected attacks. Vulnerability details The flaw, which researchers are calling 'Golden dMSA', affects delegated Managed Service Accounts (dMSAs) within Windows Server 2025. According to Semperis, the vulnerability could allow attackers to achieve persistent, undetected access to these accounts, potentially exposing resources across Active Directory for indefinite periods and enabling cross-domain lateral movement. Researcher Adi Malyanker from Semperis has developed a tool named GoldenDMSA, which incorporates the logic of the attack and enables security professionals to simulate and understand the risks posed by the vulnerability. The tool aims to help defenders evaluate how the technique might be exploited in their own environments. Technical findings The Golden dMSA attack centres on a cryptographic vulnerability in Microsoft's newly introduced security features within Windows Server 2025. The architectural setup of dMSAs is exploited because the ManagedPasswordId structure contains time-based components that are predictable. These components offer only 1,024 possible combinations, making it computationally trivial for attackers to brute-force service account passwords. "Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments," said Malyanker. "I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat." This flaw means that threat actors could potentially move laterally across domains and maintain access over time, evading detection by traditional monitoring methods. Industry context The new research on Golden dMSA follows previous identity-related discoveries by Semperis. The company's researchers have also highlighted a vulnerability called nOauth in Microsoft's Entra ID, which is known to enable full account takeover in certain vulnerable SaaS applications with limited attacker interaction. Within the last year, Semperis further developed detection capabilities in its Directory Services Protector platform to defend against BadSuccessor, described as a severe privilege escalation technique that targets a newly introduced feature in Windows Server 2025. The team previously identified Silver SAML, which is a variant of the SolarWinds-era Golden SAML technique. Silver SAML is notable for its ability to bypass standard security defences in applications integrated with Entra ID. Recommendations and implications Semperis is advising organisations using Windows Server 2025 to consider proactively assessing their managed service accounts and other identity infrastructure. By understanding the mechanism of the newly disclosed attack and employing simulation tools such as GoldenDMSA, security and IT teams can evaluate their exposure and consider mitigation strategies. The discovery of Golden dMSA highlights ongoing challenges in identity and account management security, particularly as new features are introduced into widely used enterprise systems like Active Directory. The predictability of password generation mechanisms, as exposed by Malyanker's research, underscores the importance of cryptographic design choices in authentication frameworks. Semperis continues its focus on identity security research and has called on others in the cybersecurity community to stay vigilant as new issues emerge with changes in enterprise software architecture and security models. Follow us on: Share on:
Techday NZ
16-07-2025
- Techday NZ
Golden dMSA flaw in Windows Server 2025 exposes Active Directory
Security researchers have identified a critical flaw in delegated Managed Service Accounts (dMSA) within Windows Server 2025 that could allow attackers to maintain persistent and widespread access across Active Directory environments. Flaw found in dMSA The vulnerability, uncovered by Semperis security researcher Adi Malyanker, has been termed the Golden dMSA attack. It takes advantage of a design issue in dMSAs, a security feature first introduced in Windows Server 2025, which can be misused by bad actors to gain ongoing access and elevate privileges across domains after compromising a forest-level account. Malyanker developed a tool named GoldenDMSA to demonstrate and analyse the technique, enabling security practitioners to examine in detail how the attack could be executed in operational networks. The research shows that the attack leverages a predictable element within the ManagedPasswordId structure of dMSAs. This identifier includes time-based components that, according to Semperis, present only 1,024 possible combinations. This low number of possibilities makes brute-force attacks on service account passwords computationally straightforward, potentially enabling a threat actor not only to persist in an Active Directory environment but also to move laterally across domains. "Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments. I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat," said Malyanker. Risk assessment and implications Semperis has rated the risk associated with the Golden dMSA technique as moderate. However, the researchers warn that in cases where an attacker achieves initial forest-level compromise, the method could make it possible to completely take over dMSA or Group Managed Service Account (gMSA) environments. Successful exploitation would allow attackers to maintain control without detection for extended periods, posing a severe threat to corporate and governmental IT infrastructure. The potential for widespread, persistent access stems from the architectural flaw in how dMSA passwords are generated and managed. By exploiting the weak cryptographic and structural protections, attackers could automate the generation of valid account credentials for managed service accounts, undermining protections intended to secure critical identity services. Recent related work The Golden dMSA research builds on previous work by Semperis in the field of identity threat detection. The group has reported on other vulnerabilities, such as nOauth, which affects Microsoft's Entra ID and may permit full account takeover in software-as-a-service applications. Semperis has also implemented detection features in its Directory Services Protector platform to defend against BadSuccessor, another high-impact privilege escalation technique that targets a recently introduced functionality in Windows Server 2025. This comes in addition to the Silver SAML vulnerability discovered by the team, a new variant related to Golden SAML attacks from the SolarWinds incident, which can bypass conventional security measures in Entra ID-integrated applications. Recommendations and industry impact The research underscores the need for organisations using Windows Server 2025 and managed service accounts to carry out active risk assessments and update their security controls. Attackers exploiting weaknesses in dMSA structures could not only remain undetected but also have unrestricted access to valuable resources across a company's entire digital estate. Industry observers and IT departments are expected to analyse the implications of the flaw, explore mitigation options, and consider how tools such as GoldenDMSA can be used by defenders to better understand and counteract these attack vectors. The ability to simulate attacks is viewed as a vital capability for defenders and researchers, supporting a more robust defensive posture against evolving identity-based threats.
Techday NZ
10-06-2025
- Business
- Techday NZ
Semperis adds detection for BadSuccessor flaw in Windows 2025
Cybersecurity firm Semperis has introduced new detection capabilities in its Directory Services Protector (DSP) platform, aiming to protect organisations against "BadSuccessor" — a newly disclosed privilege escalation technique in Windows Server 2025 that currently has no available patch. The BadSuccessor flaw, revealed by researchers at Akamai, targets delegated Managed Service Accounts (dMSAs), a new Windows Server 2025 feature designed to enhance the security of service accounts. Instead, the researchers demonstrated how the feature can be exploited to impersonate highly privileged users in Active Directory, such as Domain Admins, without needing additional credentials or triggering alerts. In direct response to Akamai's findings, Semperis worked with the researchers to develop and deploy new detection indicators within its DSP platform. The enhancements include one new Indicator of Exposure (IOE) and three Indicators of Compromise (IOCs), designed to help organisations identify early signs of potential abuse. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact," said Yuval Gordon, Security Researcher at Akamai. The detection indicators are focused on revealing abnormal behaviour around dMSAs, including excessive delegation rights, suspicious links between dMSAs and privileged accounts, and attempts to target sensitive credentials like the KRBTGT account. According to Semperis, this can give security teams a vital head start in identifying attacks before they can escalate. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments," said Tomer Nahum, Security Researcher at Semperis. "This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit." The vulnerability has broad implications. Any organisation operating at least one domain controller (DC) running Windows Server 2025 may be at risk. According to Semperis, even a single misconfigured DC using dMSAs could expose the entire Active Directory environment to compromise. As there is currently no fix for the vulnerability, Semperis is urging organisations to take immediate steps to protect their environments. These include auditing dMSA configurations, reviewing delegation permissions, and employing detection tools such as the updated DSP platform. The new detection features aim to support defenders in closing a critical visibility gap. Service accounts, such as dMSAs, often run with elevated privileges but remain unmonitored or poorly managed in many enterprise environments. This lack of oversight creates a potential blind spot for attackers to exploit — a challenge the BadSuccessor technique highlights sharply. Semperis stated that the DSP update is available now and is intended to offer a stopgap solution for organisations as they await official mitigation from Microsoft. The case also serves as a reminder of the growing complexity of managing hybrid identity environments. With attackers increasingly targeting infrastructure such as Active Directory, new features — however well-intentioned — can quickly become unexpected attack vectors. Gordon added, "The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call." Until a patch is released, security teams are advised to remain vigilant and proactive. By monitoring dMSA activity and understanding their configuration risks, organisations can reduce their exposure to what could otherwise be a silent but highly impactful method of privilege escalation.
Techday NZ
09-06-2025
- Business
- Techday NZ
Semperis adds detection for dMSA attacks in Windows Server
Semperis has announced new detection capabilities in its Directory Services Protector platform in collaboration with Akamai to address the "BadSuccessor" privilege escalation technique in Windows Server 2025. BadSuccessor targets a new Windows Server 2025 feature called delegated Managed Service Accounts (dMSAs), which was designed to improve service account security. Researchers at Akamai have shown that attackers can exploit dMSAs to impersonate highly privileged users, such as Domain Admins, within Active Directory. At present, there is no patch available to address this vulnerability. Service accounts, including dMSAs, often operate with extensive or unmonitored privileges, creating potential security risks for enterprises. The exploitation method uncovered by Akamai highlights ongoing challenges in securing service accounts and preventing unexpected attack vectors within large organisations. In response, Semperis has updated its Directory Services Protector platform to include one new Indicator of Exposure and three Indicators of Compromise aimed at detecting abnormal dMSA activity. These enhancements will enable security teams to identify excessive delegation rights, malicious connections between dMSAs and privileged user accounts, and attacks directed at sensitive accounts such as KRBTGT. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact. The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call," said Yuval Gordon, Security Researcher at Akamai. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments. This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit," said Tomer Nahum, Security Researcher at Semperis. The vulnerability is present in any organisation that operates at least one domain controller running Windows Server 2025. According to Semperis, a single misconfigured domain controller can place the entire environment at risk. Until vendors release an official patch, organisations are encouraged to audit dMSA permissions and use detection tools to monitor for misuse. Semperis is reinforcing cybersecurity for enterprises by protecting critical identity services that underpin hybrid and multi-cloud environments. Purpose-built for securing complex identity infrastructures — including Active Directory, Entra ID, and Okta — Semperis' AI-powered platform safeguards more than 100 million identities from cyberattacks, data breaches, and operational missteps. Headquartered in Hoboken, New Jersey, the privately held international company supports major global brands and government agencies, with customers spanning over 40 countries. Beyond its core technology offerings, Semperis is recognized for its commitment to the cybersecurity community. The company sponsors a range of industry resources, including the award-winning Hybrid Identity Protection (HIP) Conference, the HIP Podcast, and free identity security tools such as Purple Knight and Forest Druid. With its dual mission to protect digital infrastructure and empower the security community, Semperis continues to play a pivotal role in advancing global cyber resilience. Follow us on: Share on:
Forbes
21-05-2025
- Forbes
New Windows Server 2025 Attack Compromises Any Active Directory User
New Windows Server 2025 vulnerability confirmed. Although you are far more likely to read about vulnerabilities impacting the Windows operating system, including those that have long since reached end-of-support status such as Windows 7, this doesn't mean that Windows Server users are not in the crosshairs of threat actors. Far from it, and not just legacy versions either, as security researchers reveal a new, and trivial to implement, Windows Server 2025 vulnerability that could compromise any Active Directory user. Here's what you need to know. Privilege escalation vulnerabilities are among the worst you can be faced with, as, rather obviously, they enable a successful attacker to do way more than they should be able to given the lack of permissions they started with. Yuval Gordon, a senior security researcher at Akamai Technologies, has exclusively shared details of a particularly concerning privilege escalation vulnerability impacting Windows Server 2025. Not only because, as Gordon explained, it allows an attacker to 'compromise any user in Active Directory,' but also as it 'works with the default configuration, and is trivial to implement.' If you thought things couldn't get any worse, you'd be wrong: no patch is currently available. Akamai has named the vulnerability and associated exploit as BadSuccessor, and confirmed that it abuses the delegated Managed Service Account feature introduced with Windows Server 2025. 'In 91% of the environments we examined,' Gordon said, 'we found users outside the domain admins group that had the required permissions to perform this attack.' BadSuccessor might be trivial to implement, but the consequences of a successful attack are far from the same. Full attack flow, showing all steps needed to have a BadSuccessor. A key feature of dMSA is the ability to migrate existing and non-managed service accounts by seamlessly converting them into dMSAs, and it's this that is the issue. 'By abusing dMSAs, attackers can take over any principal in the domain,' Gordon said. All an attacker needs to be able to exploit the BadSuccessor vulnerability is a seemingly benign permission on any organizational unit in the domain. Here's the real killer though: as long as you have one Windows Server 2025 domain controller, your domain doesn't even need to be using dMSAs at all, the exploit will work anyway. I would advise every Windows Server administrator to read the full report in its entirety, and as a matter of some urgency. In the meantime, I spoke with Yuval Gordon who reiterated that BadSuccessor is not only 'so dangerous because the attack is so simple,' but added that Akamai researchers were 'surprised that we were first to discover it.' The only good news, such as it is, would be that there is no evidence to conclusively show that BadSuccessor has been exploited by attackers in the wild at this point, but given that 'most organisations aren't currently monitoring the relevant events,' Gordon said it's hard to say for certain . Gordon recommended that organizations and admins need to identify which users have the specific permissions that make this attack possible, and, having done so, review and remove unnecessary permissions. 'We're releasing a PowerShell script alongside the blog post to help with that,' Gordon told me, so that would be a good starting point. 'It highlights exactly which users have risky access so defenders know where to focus,' Gordon concluded. I reached out to Microsoft for a statement, and a spokesman said: 'We appreciate Akamai for identifying and responsibly reporting this issue. After careful investigation, this case was rated as a Moderate severity that does not meet our bar for immediate servicing, as the technique requires elevated user permissions to be successful. We will look to address this issue in a future update.' Microsoft also said that for BadSuccessor to be successful, an attacker would require access to the msds-groupMSAMembership attribute of the dMSA. This attribute allows the user to utilize the The attacker needs write access to this attribute, which allows them to specify a user, such as an administrator, that the dMSA can act on behalf of. All users of Windows Server 2025 are advised to take action and protect against the threat until Microsoft issues a fix.
