Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2025-15552 is a vulnerability in Truesec's LAPSWebUI versions before 2.4 caused by insufficient session expiration controls."}, {'type': 'paragraph', 'content': 'The issue occurs because after a user authenticates via Entra ID, a session cookie is set but not invalidated on the server side. This allows the session cookie to be reused indefinitely.'}, {'type': 'paragraph', 'content': 'An attacker with access to a workstation can exploit this by reusing the session cookie to escalate privileges and disclose the local administrator password.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the "Force Reauth on Password request" setting was disabled by default, and the logout function only logs the user out from Entra ID but does not invalidate the local session cookie.'}] [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow an attacker who has access to a workstation to escalate their privileges by obtaining the local administrator password.

Because session cookies are not invalidated server-side, an attacker can reuse these cookies even days after authentication, potentially maintaining unauthorized access.

This can lead to unauthorized access to sensitive systems and administrative functions, increasing the risk of further compromise or data breaches.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking if the Truesec LAPSWebUI version is prior to 2.4 and if the session cookies are not being invalidated server-side, allowing reuse over extended periods.'}, {'type': 'paragraph', 'content': 'One practical approach is to monitor session cookie lifetimes and reuse. For example, you can inspect browser cookies related to LAPSWebUI to see if session cookies persist beyond expected durations.'}, {'type': 'paragraph', 'content': 'Commands to help detect this might include:'}, {'type': 'list_item', 'content': 'Using browser developer tools or command line tools like curl or wget to check session cookie behavior after logout.'}, {'type': 'list_item', 'content': 'Example curl command to test session reuse: curl -b "session_cookie=value" https://lapswebui.example.com/api/password -v'}, {'type': 'list_item', 'content': 'Monitoring network traffic for persistent session cookies using tools like Wireshark or tcpdump.'}, {'type': 'list_item', 'content': 'Checking the appsettings.json file for the "Force Reauth on Password request" setting to see if it is disabled.'}] [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary immediate mitigation is to upgrade Truesec LAPSWebUI to version 2.4 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, enable the "Force Reauth on Password request" setting in the appsettings.json configuration file. This forces Entra ID sign-in for each password display, reducing the risk from persistent session cookies.'}, {'type': 'paragraph', 'content': 'Additionally, consider enforcing shorter session timeouts and educating users to log out properly and avoid browser session restoration that preserves cookies.'}] [1]

Useful 0 Not Useful 0