Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-15553 is a vulnerability in Truesec's LAPSWebUI versions before 2.4 where the logout functionality does not properly terminate user sessions on both the client and server sides."}, {'type': 'paragraph', 'content': "When a user logs out, the client-side session cookie (.AspNetCore.Cookies) is not cleared, and users are redirected to Microsoft's logout endpoint which does not redirect back to LAPSWebUI. If the browser is set to reopen previous tabs, the session cookie persists indefinitely."}, {'type': 'paragraph', 'content': 'This allows an attacker with access to a workstation to escalate privileges by accessing local administrator passwords without re-authenticating, because the server-side session remains active.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized privilege escalation by allowing attackers to retrieve local administrator passwords without proper authentication.

Because sessions are not properly terminated, stolen session tokens can be exploited for unauthorized access, increasing the risk of compromise on affected systems.

Users cannot manually terminate compromised sessions, which extends the window of opportunity for attackers to misuse the session.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the logout functionality in truesec LAPSWebUI properly clears client-side session cookies and invalidates server-side sessions. Specifically, you can verify if the .AspNetCore.Cookies session cookie persists after logout and if navigating back to the LAPSWebUI URL without re-authentication reveals local admin passwords.

Since the vulnerability is related to session cookie persistence and improper logout, network or system detection can include monitoring HTTP traffic for session cookies that remain active after logout attempts.

Suggested commands or steps include:

• Use browser developer tools or command-line tools like curl or wget to perform a logout request and then check if the .AspNetCore.Cookies cookie is cleared.
• Example curl command to check cookies before and after logout:
• 1. Access LAPSWebUI and capture cookies: curl -c cookies.txt https://lapswebui.example.com
• 2. Perform logout request: curl -b cookies.txt -c cookies.txt https://lapswebui.example.com/logout
• 3. Check if .AspNetCore.Cookies is still present in cookies.txt after logout.
• Attempt to navigate back to the LAPSWebUI URL using the same session cookie to see if local admin passwords are accessible without re-authentication.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Truesec LAPSWebUI to version 2.4 or later, where the logout functionality properly clears client-side cookies and invalidates server-side sessions.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, it is recommended to enable the "Force Reauth on Password request" setting in the server’s appsettings.json file under the AzureAd configuration. This forces Entra ID sign-in each time a password is requested, reducing the risk of unauthorized access.'}, {'type': 'paragraph', 'content': 'Additionally, users should be advised to close all browser windows after logout, especially if the browser is configured to reopen tabs from the previous session, to prevent session cookie persistence.'}, {'type': 'paragraph', 'content': 'Long-term recommendations include implementing proper session invalidation on both client and server sides and configuring LAPSWebUI’s logout URL as a front-channel logout URL in Azure App Registration to enable single sign-out.'}] [1]

Useful 0 Not Useful 0