CVE-2025-15554 Overview
CVE-2025-15554 is an information disclosure vulnerability affecting Truesec's LAPSWebUI prior to version 2.4. The vulnerability allows browser caching of LAPS (Local Administrator Password Solution) passwords, which can be exploited by an attacker with access to a workstation to escalate their privileges through disclosure of local administrator passwords.
Critical Impact
Exposure of local administrator passwords through browser cache could enable privilege escalation and lateral movement across networked systems managed by LAPS.
Affected Products
- Truesec LAPSWebUI versions prior to 2.4
Discovery Timeline
- 2026-03-16 - CVE CVE-2025-15554 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2025-15554
Vulnerability Analysis
This vulnerability (CWE-525: Web Browser XSS Filter Configuration Bypass) stems from improper handling of sensitive credential data in the browser context. LAPSWebUI, a web-based interface for Microsoft LAPS that allows administrators to retrieve local administrator passwords, fails to implement proper cache-control directives when displaying these sensitive credentials.
When administrators use the LAPSWebUI interface to retrieve LAPS-managed passwords, the browser may cache the password values in its local storage, disk cache, or memory. This cached data persists beyond the user's session and can be recovered by subsequent users of the same workstation or by malware with access to the browser's cache storage.
The local attack vector requires an adversary to have physical or remote access to a workstation where an administrator has previously used LAPSWebUI. Once access is obtained, the attacker can extract cached password data from browser storage, potentially gaining administrative access to multiple systems managed by LAPS.
Root Cause
The root cause of this vulnerability is the lack of proper HTTP cache-control headers and browser security directives when serving pages containing LAPS passwords. Without explicit instructions to prevent caching (such as Cache-Control: no-store, Pragma: no-cache, and appropriate meta tags), browsers will cache sensitive credential data according to their default caching behavior.
Additionally, the application may not be implementing proper input field attributes like autocomplete="off" for password display fields, allowing browsers to store this sensitive information in autocomplete databases.
Attack Vector
The attack requires local access to a workstation where LAPSWebUI has been used. An attacker with low privileges on the system can exploit this vulnerability through the following approach:
- The attacker gains access to a workstation used by administrators to access LAPSWebUI
- The attacker examines browser cache directories, history, or uses browser developer tools
- Cached LAPS password data is extracted from browser storage
- The attacker uses the recovered local administrator passwords to escalate privileges
For detailed technical information, refer to the ReverseC Security Advisory.
Detection Methods for CVE-2025-15554
Indicators of Compromise
- Unexpected browser cache access or enumeration on administrator workstations
- Unauthorized authentication attempts using LAPS-managed local administrator accounts
- Access to browser profile directories by non-standard processes
- Anomalous logon events using local administrator credentials across multiple endpoints
Detection Strategies
- Monitor for unusual file access to browser cache directories (e.g., %LocalAppData%\Google\Chrome\User Data\Default\Cache)
- Implement alerting on successful local administrator logons from workstations that don't typically use those credentials
- Deploy endpoint detection rules to identify cache extraction tools or scripts
- Audit LAPSWebUI access logs and correlate with subsequent privileged account usage
Monitoring Recommendations
- Enable advanced auditing on endpoints to track browser cache directory access
- Implement User Behavior Analytics (UBA) to detect privilege escalation patterns
- Monitor for lateral movement using local administrator accounts following workstation access
- Review and alert on LAPSWebUI usage patterns to identify potential reconnaissance activity
How to Mitigate CVE-2025-15554
Immediate Actions Required
- Upgrade Truesec LAPSWebUI to version 2.4 or later immediately
- Clear browser caches on all workstations where administrators have accessed LAPSWebUI
- Rotate LAPS-managed local administrator passwords across all managed endpoints
- Restrict LAPSWebUI access to dedicated admin workstations with strict access controls
- Consider implementing browser isolation or using private browsing modes for accessing LAPSWebUI
Patch Information
Truesec has addressed this vulnerability in LAPSWebUI version 2.4. Organizations should upgrade to this version or later to ensure proper cache-control headers are implemented. For additional information, consult the ReverseC Security Advisory.
Workarounds
- Configure web server or reverse proxy to add cache-control headers (Cache-Control: no-store, no-cache, must-revalidate)
- Instruct administrators to use private/incognito browsing sessions when accessing LAPSWebUI
- Implement browser policies via Group Policy to disable caching on sensitive administrative sites
- Deploy dedicated Privileged Access Workstations (PAWs) with strict browser configurations for LAPS administration
# Example nginx configuration to add cache-control headers for LAPSWebUI
location / {
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate" always;
add_header Pragma "no-cache" always;
add_header Expires "0" always;
# Proxy to LAPSWebUI application
proxy_pass http://lapswebui-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
