CVE-2025-15554

Summary

Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.

Affected Software

VendorProductVersion RangeStatus
TruesecLAPSWebUI0 < 2.4affected
TruesecLAPSWebUI2.4unaffected

Weaknesses

  • CWE-525: CWE-525 Use of web browser cache containing sensitive information

Workarounds

Make sure the web server hosting LAPSWebUI sets the following HTTP response header: Cache-Control: no-store

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References