*Critical Vulnerability in Windows Server 2025: Active Directory Compromise* A newly discovered vulnerability in Windows Server 2025's Delegated Managed Service Account (dMSA) feature allows attackers to compromise any user in Active Directory (AD), potentially breaching the entire domain. *The Vulnerability:* The dMSA feature, introduced in Windows Server 2025, allows migration from legacy service accounts. However, researchers found that during the Kerberos authentication phase, the Privilege Attribute Certificate (PAC) includes SIDs of the superseded service account and its associated groups. This can lead to privilege escalation. *How it Works:* 1. *Simulated migration*: Attackers can simulate the dMSA migration process to compromise any user, including domain administrators. 2. *No permissions required*: The attack doesn't require permissions over the superseded account, only write permissions over the dMSA attributes. 3. *KDC grants permissions*: The Key Distribution Center (KDC) automatically grants the dMSA every permission the original user had. *Impact:* - *High-impact abuse path*: The vulnerability allows attackers to compromise any user in the domain, gaining similar power to the Replicating Directory Changes privilege used in DCSync attacks. - *Most organizations affected*: 91% of environments examined had users outside the domain admins group with required permissions to perform this attack. *Mitigation:* - *Limit dMSA creation*: Restrict the ability to create dMSAs and harden permissions. - *PowerShell script*: Akamai released a script to enumerate non-default principals who can create dMSAs and list OUs with this permission. *Patch in the Works:* Microsoft is working on a patch, but until then, organizations should take precautions to secure their Active Directory environments.