EUVD-2025-208695CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.
Analysis
LAPSWebUI before version 2.4 by Truesec improperly caches LAPS (Local Administrator Password Solution) passwords in browser storage, allowing a local attacker with user-level access to retrieve plaintext or weakly protected admin credentials from the browser cache. An attacker who gains access to a workstation where an administrator has used LAPSWebUI can escalate privileges to local administrator by exploiting this caching behavior. While the CVSS score is moderate at 6.0, the practical impact is high because successful exploitation directly enables privilege escalation to administrative access.
Technical Context
LAPSWebUI is a web-based management interface for Microsoft's Local Administrator Password Solution (LAPS), which rotates and securely stores local administrator passwords in Active Directory. The vulnerability stems from CWE-525 (Use of Web-Browser Cache Containing Sensitive Information), where sensitive authentication credentials are stored in browser cache mechanisms (such as browser localStorage, sessionStorage, or HTTP cache headers) without sufficient protection. The root cause is improper cache control directives and lack of memory-only handling for LAPS password data. The affected product is Truesec's LAPSWebUI, identified by CPE string cpe:2.3:a:truesec:lapswebui. When administrators retrieve LAPS passwords through the web UI prior to version 2.4, the application fails to clear or encrypt cached copies of these passwords, leaving them accessible to subsequent users of the same workstation.
Affected Products
Truesec LAPSWebUI versions prior to 2.4 are affected, as confirmed by the CVE description and vendor advisory references. The vulnerability impacts all deployments of LAPSWebUI before version 2.4 regardless of underlying operating system or browser. Organizations using LAPSWebUI for LAPS password management should verify their current installation version against the Truesec security advisory at https://truesec.com/security-advisories (or applicable vendor security page) to confirm if their deployment is vulnerable.
Remediation
Immediately upgrade Truesec LAPSWebUI to version 2.4 or later, which remediates the browser caching issue by implementing proper cache control headers and in-memory-only password handling. Consult the Truesec security advisory for specific upgrade procedures and any data migration requirements. As an interim mitigation pending patching, restrict access to systems running LAPSWebUI to only trusted administrators, enforce browser auto-logout and cache clearing policies via group policy or browser configuration management, disable browser caching for the LAPSWebUI domain using HTTP headers (Cache-Control: no-store, no-cache; Pragma: no-cache), and audit browser cache and temporary files on systems where administrators have accessed LAPSWebUI to detect any previously cached credentials.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today