CVE-2025-15553

Summary

Non-working logout functionality in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.

Affected Software

VendorProductVersion RangeStatus
TruesecLAPSWebUI0 < 2.4affected
TruesecLAPSWebUI2.4unaffected

Weaknesses

  • CWE-613: CWE-613 Insufficient session expiration

Workarounds

Configure LAPSWebUI to require Entra ID sign-in every time a user wants to display a password, by enabling the setting Force Reauth on Password request.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References