Cyber Resilience

CVE-2025-15554

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 5.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15554 is a medium-severity Use of Web Browser Cache Containing Sensitive Information (CWE-525) vulnerability in Truesec Lapswebui. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-11 (Device Lock) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-15554 is a vulnerability in Truesec’s LAPSWebUI prior to version 2.4 that enables browser caching of Local Administrator Password Solution (LAPS) passwords. This flaw allows attackers to retrieve cached credentials from the browser, leading to privilege escalation through disclosure of local administrator passwords. The issue is classified under CWE-525 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with local access and low privileges required.

An attacker with physical or logical access to a workstation running the affected LAPSWebUI can exploit this vulnerability without user interaction. By accessing the browser's cache or storage, they can extract LAPS passwords for local administrators, enabling privilege escalation to full administrative control on the target system. This scenario is particularly relevant in environments where LAPSWebUI is deployed for password management across workstations.

The advisory published by Reversec Labs details mitigation strategies, recommending an upgrade to LAPSWebUI version 2.4 or later to address the caching issue (https://labs.reversec.com/advisories/2026/03/admin-passwords-cached-by-browsers-in-truesec-lapswebui). Security practitioners should verify browser cache clearing practices and monitor for unauthorized access to affected workstations.

EU & UK References

Vulnerability details

Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vulnerability causes LAPS passwords to be stored in browser cache (local files), directly enabling retrieval of unsecured credentials for subsequent privilege escalation via valid local accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15553Same product: Truesec Lapswebui
CVE-2025-15552Same product: Truesec Lapswebui
CVE-2025-52659Shared CWE-525

Affected Assets

truesec
lapswebui
≤ 2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the browser caching vulnerability in LAPSWebUI by identifying, reporting, and correcting the flaw through timely upgrades to version 2.4 or later.

prevent

Mandates protection of LAPS passwords as authenticators against unauthorized disclosure, preventing their insecure caching and extraction from browser storage.

prevent

Enforces automatic workstation locking after inactivity, blocking local attackers from accessing unlocked browsers containing cached LAPS credentials.

References