Cyber Posture

CVE-2025-15554

High

Published: 16 March 2026

Published
16 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15554 is a high-severity Use of Web Browser Cache Containing Sensitive Information (CWE-525) vulnerability in Truesec Lapswebui. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-11 (Device Lock) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the browser caching vulnerability in LAPSWebUI by identifying, reporting, and correcting the flaw through timely upgrades to version 2.4 or later.

IA-5 Authenticator Management good match
prevent

Mandates protection of LAPS passwords as authenticators against unauthorized disclosure, preventing their insecure caching and extraction from browser storage.

AC-11 Device Lock good match
prevent

Enforces automatic workstation locking after inactivity, blocking local attackers from accessing unlocked browsers containing cached LAPS credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability causes LAPS passwords to be stored in browser cache (local files), directly enabling retrieval of unsecured credentials for subsequent privilege escalation via valid local accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.

Deeper analysisAI

CVE-2025-15554 is a vulnerability in Truesec’s LAPSWebUI prior to version 2.4 that enables browser caching of Local Administrator Password Solution (LAPS) passwords. This flaw allows attackers to retrieve cached credentials from the browser, leading to privilege escalation through disclosure of local administrator passwords. The issue is classified under CWE-525 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with local access and low privileges required.

An attacker with physical or logical access to a workstation running the affected LAPSWebUI can exploit this vulnerability without user interaction. By accessing the browser's cache or storage, they can extract LAPS passwords for local administrators, enabling privilege escalation to full administrative control on the target system. This scenario is particularly relevant in environments where LAPSWebUI is deployed for password management across workstations.

The advisory published by Reversec Labs details mitigation strategies, recommending an upgrade to LAPSWebUI version 2.4 or later to address the caching issue (https://labs.reversec.com/advisories/2026/03/admin-passwords-cached-by-browsers-in-truesec-lapswebui). Security practitioners should verify browser cache clearing practices and monitor for unauthorized access to affected workstations.

Details

CWE(s)
CWE-525

Affected Products

truesec
lapswebui
≤ 2.4

CVEs Like This One

CVE-2025-15553Same product: Truesec Lapswebui
CVE-2025-15552Same product: Truesec Lapswebui
CVE-2025-52659Shared CWE-525

References