CVE-2025-15552 in LAPSWebUI
Summary
by MITRE • 03/16/2026
Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability identified as CVE-2025-15552 affects Truesec's LAPSWebUI application prior to version 2.4, representing a critical security flaw in session management that enables privilege escalation attacks. This issue stems from insufficient session expiration mechanisms within the web user interface component of the Local Administrator Password Solution, which is designed to manage and rotate local administrator passwords across enterprise endpoints. The vulnerability specifically targets the authentication and authorization processes within the LAPSWebUI, creating a window of opportunity for attackers to exploit compromised workstation access and gain elevated privileges.
The technical flaw manifests in the application's failure to properly enforce session timeout mechanisms and credential validation processes. When a user accesses the LAPSWebUI interface, the system should automatically terminate sessions after a predefined period of inactivity or upon explicit logout. However, in vulnerable versions, sessions remain active indefinitely or for extended periods without proper expiration, allowing unauthorized individuals to reuse valid session tokens. This weakness directly correlates to CWE-613, which addresses insufficient session expiration, and represents a significant deviation from secure session management practices. The flaw enables attackers who have already compromised a workstation to maintain access to the LAPSWebUI interface without re-authentication, effectively bypassing normal access controls.
The operational impact of this vulnerability is severe and multifaceted, particularly within enterprise environments where privileged access to local administrator accounts is critical for system maintenance and security operations. An attacker who gains access to a workstation can leverage this vulnerability to extract local administrator passwords stored within the LAPSWebUI interface, potentially gaining access to multiple systems within the domain. This scenario aligns with the attack pattern described in the MITRE ATT&CK framework under T1078 Valid Accounts and T1566 Phishing, where compromised credentials are used to escalate privileges. The vulnerability essentially undermines the security controls that LAPS is designed to enforce, creating a backdoor that allows attackers to bypass the very protections that make LAPS an effective security tool.
Organizations utilizing Truesec LAPSWebUI are particularly vulnerable to this attack vector as it exploits the trust model inherent in the system's design. The flaw enables attackers to escalate from regular user access to privileged administrative access without detection, potentially leading to complete domain compromise. The attack requires minimal sophistication beyond initial workstation compromise, making it particularly dangerous in environments where endpoint security is not robust. Security professionals should note that this vulnerability directly impacts the principle of least privilege, as it allows attackers to maintain elevated access beyond the expected session lifetime. The exploitation of this vulnerability can result in persistent access to critical systems, enabling data exfiltration, lateral movement, and establishment of persistent backdoors within the enterprise network infrastructure. Mitigation efforts should focus on immediate deployment of version 2.4 or later, along with comprehensive session management reviews and monitoring for unauthorized access attempts to the LAPSWebUI interface.