Home > Security > Security News

Critical Privilege Escalation Flaw Found in Microsoft Active Directory dMSA Feature

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
Microsoft

A critical elevation of privilege (EoP) vulnerability affects organizations using Microsoft Windows Server 2025. The root of the issue lies in delegated Managed Service Accounts (dMSA), a feature introduced to simplify service account management in Active Directory (AD). 

Akamai research has uncovered how attackers can manipulate the dMSA migration process to escalate their permissions and compromise any AD principal, including privileged accounts like Domain Admins.

The dMSA accounts are intended to streamline the migration from legacy service accounts by inheriting their permissions. According to security researcher Yuval Gordon’s analysis, the vulnerability emerges due to inadequate validation in the migration process. 

Full attack flow
Full attack flow | Source: Akamai

Attackers with write access to specific dMSA attributes can set the msDS-ManagedAccountPrecededByLink and change msDS-DelegatedMSAState, effectively “simulating” a migration. 

Subsequently, the Kerberos Key Distribution Center (KDC) grants the dMSA all the permissions and group memberships of the targeted account, without actual group modifications or obvious audit trails.

Remarkably, the attack does not require prior compromise of the victim user account. Any user able to create a dMSA within an organizational unit (OU) they control can leverage this vector. 

Akamai found that in 91% of environments reviewed, at least some non-admin users possess the necessary permissions, magnifying operational risk.

This flaw empowers an attacker with the permission to create dMSA objects to become any user in the domain, including the ability to escalate to Domain Admin. The attack also enables the inheritance of cryptographic keys, making credential compromise possible on a wide scale.

Add a Comment
Related
Coinbase cryptocurrency market
Over 69,000 Customers Impacted in Recently Revealed 2024 Coinbase Security Breach
Cloudflare DDoS
Fake Cloudflare Verification Attack Targets WordPress Sites with Advanced Multi-Stage Malware
APT28 Russian State Campaign Against Western Firms Intensifies, Gathering Intel on Ukraine Aid
mobile security
AT&T, T-Mobile, Verizon Under Scrutiny for Failing to Notify Lawmakers of Surveillance Requests 
Lumma Stealer Malware Network Shut Down Following Coordinated Operation 
US College Student to Plead Guilty to Involvement in Recent PowerSchool Data Breach
Most Popular
Coinbase cryptocurrency market
Over 69,000 Customers Impacted in Recently Revealed 2024 Coinbase Security Breach
Cloudflare DDoS
Fake Cloudflare Verification Attack Targets WordPress Sites with Advanced Multi-Stage Malware
ExpressVPN Rolls Out AircoveOS v5.3
ExpressVPN Rolls Out AircoveOS v5.3: What to Expect
Tom Cruise in Mission Impossible: The Final Reckoning
Mission: Impossible - The Final Reckoning Ending Explained: Ethan Hunt’s fate, Post-Credit Scene, and more
APT28 Russian State Campaign Against Western Firms Intensifies, Gathering Intel on Ukraine Aid
mobile security
AT&T, T-Mobile, Verizon Under Scrutiny for Failing to Notify Lawmakers of Surveillance Requests 
Over 69,000 Customers Impacted in Recently Revealed 2024 Coinbase Security Breach
Fake Cloudflare Verification Attack Targets WordPress Sites with Advanced Multi-Stage Malware
ExpressVPN Rolls Out AircoveOS v5.3: What to Expect
Mission: Impossible - The Final Reckoning Ending Explained: Ethan Hunt’s fate, Post-Credit Scene, and more
APT28 Russian State Campaign Against Western Firms Intensifies, Gathering Intel on Ukraine Aid
AT&T, T-Mobile, Verizon Under Scrutiny for Failing to Notify Lawmakers of Surveillance Requests 

Most Popular
Coinbase cryptocurrency market
Over 69,000 Customers Impacted in Recently Revealed 2024 Coinbase Security Breach
Cloudflare DDoS
Fake Cloudflare Verification Attack Targets WordPress Sites with Advanced Multi-Stage Malware
ExpressVPN Rolls Out AircoveOS v5.3
ExpressVPN Rolls Out AircoveOS v5.3: What to Expect
Tom Cruise in Mission Impossible: The Final Reckoning
Mission: Impossible - The Final Reckoning Ending Explained: Ethan Hunt’s fate, Post-Credit Scene, and more
APT28 Russian State Campaign Against Western Firms Intensifies, Gathering Intel on Ukraine Aid
mobile security
AT&T, T-Mobile, Verizon Under Scrutiny for Failing to Notify Lawmakers of Surveillance Requests 
Over 69,000 Customers Impacted in Recently Revealed 2024 Coinbase Security Breach
Fake Cloudflare Verification Attack Targets WordPress Sites with Advanced Multi-Stage Malware
ExpressVPN Rolls Out AircoveOS v5.3: What to Expect
Mission: Impossible - The Final Reckoning Ending Explained: Ethan Hunt’s fate, Post-Credit Scene, and more
APT28 Russian State Campaign Against Western Firms Intensifies, Gathering Intel on Ukraine Aid
AT&T, T-Mobile, Verizon Under Scrutiny for Failing to Notify Lawmakers of Surveillance Requests 

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: