“Golden DMSA” – Windows gets its own Wonka ticket for hackers
Security researchers have uncovered a new Windows privilege‑escalation trick dubbed “Golden DMSA.” The technique abuses the Digital Media Streaming Authentication (DMSA) protocol baked into every modern version of Windows. By replaying a single network handshake, an attacker can mint a “golden” DMSA token that Windows happily accepts as the real McCoy, granting SYSTEM‑level access on the target box and, in many cases, a stepping‑stone to full domain admin.
Microsoft quietly fixed the underlying bug in July 2025 Patch Tuesday (KB5036027 / KB5036028), but proof‑of‑concept code is already circulating on GitHub. Home editions are vulnerable, yet enterprises running domain‑joined machines are the real prize. Immediate patching is advised; disabling the Windows Media Feature Pack or blocking outbound TCP 2869 (SSDP) also neuters the exploit. So far, no in‑the‑wild attacks have been confirmed, but telemetry suggests probing activity has begun.
Patch Tuesday has arrived with a golden wrapper—sadly, not the chocolatey kind. Researchers have spotted a cheeky exploit nicknamed Golden DMSA, and it hands out SYSTEM privileges faster than Willy Wonka dishes sweets.
What on earth is DMSA?
Digital Media Streaming Authentication sounds friendly—your PC checks it’s allowed to stream tunes to the telly. Trouble is, Windows will also accept a forged handshake and roll out the red carpet for any passer‑by.
How the trick works
1. Attacker lurks on the network and snaffles a legitimate DMSA handshake.
2. They replay it to a victim machine.
3. Windows shrugs, says “looks fine to me,” and grants SYSTEM rights.
4. Cue evil cackling and a brisk march towards domain admin.
Who’s at risk?
Every supported version of Windows prior to July 2025’s KB5036027/28. Home PCs are vulnerable, but corporate laptops on the same Wi‑Fi are the real jackpot.
How to stay out of the chocolate river
• Patch now—run Windows Update, brew a cuppa, job done.
• If patching must wait, disable the Windows Media Feature Pack or block outbound TCP 2869.
Keep an eye on GitHub: proof‑of‑concept scripts are multiplying like Oompa‑Loompas.