Skip to main content

Lapswebui CVE-2025-15553

| EUVDEUVD-2025-208693 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-03-16 NCSC-FI
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.4
EUVD ID Assigned
Mar 16, 2026 - 11:00 euvd
EUVD-2025-208693
Analysis Generated
Mar 16, 2026 - 11:00 vuln.today
CVE Published
Mar 16, 2026 - 10:45 nvd
MEDIUM 6.0

DescriptionCVE.org

Non-working logout functionality in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.

AnalysisAI

LAPSWebUI before version 2.4 contains a non-functional logout mechanism that allows an authenticated local attacker to obtain elevated privileges through disclosure of cached local administrator passwords. An attacker with existing workstation access and low privileges can exploit this flaw to escalate to local admin by recovering credentials that should have been cleared upon session termination. The vulnerability carries a CVSS v4.0 score of 6.0 (Medium) with local attack vector and requires prior login plus user interaction, though the confidentiality impact on sensitive credentials is marked as high.

Technical ContextAI

LAPSWebUI (Local Administrator Password Solution Web User Interface) by Truesec is a web-based management interface for LAPS credential distribution and rotation in Windows environments. The vulnerability stems from CWE-613 (Insufficient Session Expiration), a session management flaw where the logout endpoint fails to properly invalidate active sessions or clear sensitive data from application memory and browser caches. The affected CPE is cpe:2.3:a:truesec:lapswebui, with versions prior to 2.4 vulnerable. The root cause involves improper cleanup of sensitive password data stored in the UI context during session termination, allowing an attacker to access cached or residual credentials after the legitimate user departs.

RemediationAI

Upgrade LAPSWebUI to version 2.4 or later immediately by obtaining the patched release from Truesec's official distribution channels and applying it across all deployed instances. Until patching can be completed, enforce strict physical and logical access controls to workstations running LAPSWebUI, mandate screen locks after brief idle periods (e.g., 5 minutes), and implement endpoint detection and response (EDR) monitoring for suspicious credential access patterns. Consider restricting LAPSWebUI access to a dedicated administrative workstation or bastion host with enhanced logging. Review LAPS credential rotation frequency to minimize exposure window if cached credentials are obtained.

Share

CVE-2025-15553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy