The Windows Server 2025 showed a shortage of privilege escalation, allowing attackers to compromise any user at Active Directory (AD).
“Attack uses the function of the delegated managed account (DMSA), which was introduced in Windows Server 2025, works with the default configuration and is trivial for implementation,” – Akamai’s safety researcher Gordon Gordon – Note In a report that shared with Hacker News.
“This issue is probably touched upon by the majority of organizations that rely on AD. In the 91% of the environment we have considered, we found users by the Admins Domain group that had the necessary permits to fulfill this attack.”
What makes the path of attack characteristic, this is what it uses a new feature called Delegated Managed Service Accounts (Dmsa) This allows you to migrate from the existing outdated account. It was entered in Windows Server 2025 as a mitigation Kerberoasting Attacks.
The attack technique has been named The success of bathing According to the web -infrastructure and security campaign.
“DMSA allows users to create them as an autonomous account or replace an existing standard account,” Microsoft notes in their documentation. “If DMSA replaces the existing account, authentication of this account using its password is blocked.”
“The request is redirected to the local security body (LSA) to authentication using DMSA, which has access to everything you can access to AD. During the DMSA migration, the devices that should be used to transition from all existing accounts must be used during migration.”
The problem defined by Akamai is that during DMSA Kerberos Authentication phase, privilege attribute (PAC) Certificate (PAC), built into a ticket that issues a ticket (ie credentials used to verify identity) issued by the Key Distribution Center (KDC) includes both DMSA security identifiers (Sid), as well as AIDS with a involved service account and all related groups.
This transfer of permits between accounting records can open the door to the potential escalation scenario by modeling the DMSA migration process for any user, including domain administrators, and get similar privileges, violating the entire domain, even if the Windows 2025 domain does not use DMSAS.
“One interesting fact of this” modeling “technique is that it does not require any permits for a confined account,” Gordon said. “The only requirement is to write permits for DMSA attributes. Any DMSA.”
“Once we have noted DMSA, as the users preceded, KDC automatically suggests that legitimate migration has taken place and is happy to provide our DMSA every permit that was the original user as if we were a legal successor.”
Akamai said it reports on the results of Microsoft on April 1, 2025, after which the technological giant classified the issue as moderate and that it does not match the fee for immediate service from the fact that successful exploitation requires the attacker to have specific DMSA objects, which suggests the height of the privileges. However, the patch is currently working.
Considering that there is no immediate correction to the attack, organizations are advised to restrict the possibility of creating DMSA and solving permits where possible. Akamai also has liberated The PowerShell script that can list all the directors who do not deficit, which can create DMSA and list organizational units (OUS) in which each director has this permit.
“This vulnerability introduces previously unknown and high impact abuse that allows any user with the Createchild permission to compromise any user in the domain and get similar power to remake the changes of the catalogs used to implement DCSync attacks,” Gordon said.
