CVE-2025-15554
Local Admin Password Disclosure via Browser Cache in LAPSWebUI
Publication date: 2026-03-16
Last updated on: 2026-04-07
Assigner: National Cyber Security Centre Finland
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| truesec | lapswebui | to 2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-525 | The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15554 is a vulnerability in truesecβs LAPSWebUI versions before 2.4 where local administrator passwords are cached by web browsers due to missing Cache-Control HTTP headers in server responses.
Specifically, the GET /Home/Password endpoint returns HTML containing sensitive local admin passwords without instructing browsers or proxies not to cache this data. As a result, browsers like Mozilla Firefox store these passwords locally, which can be accessed by an attacker with access to the workstation.
This vulnerability allows an attacker who can access a workstation to escalate their privileges by retrieving cached local admin passwords.
How can this vulnerability impact me? :
The vulnerability can lead to privilege escalation on affected systems.
An attacker with access to a workstation can retrieve cached local administrator passwords from the browser cache, allowing them to gain higher privileges than originally permitted.
This increases the risk of unauthorized administrative access, potentially compromising system security and sensitive data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the HTTP responses from the LAPSWebUI server, specifically the GET /Home/Password endpoint, lack the Cache-Control header that prevents caching of sensitive data.
You can inspect the HTTP headers returned by the server using command-line tools such as curl or wget.
- Use curl to check headers: curl -I https://<lapswebui-server>/Home/Password
- Look for the absence of the Cache-Control header or presence of headers that allow caching.
- Additionally, check browser cache directories (e.g., Firefox cache on Linux) for cached password data related to LAPSWebUI.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade truesecβs LAPSWebUI to version 2.4 or later, which fixes the issue by preventing caching of sensitive password pages.
If immediate upgrade is not possible, configure your web server to include the HTTP header: Cache-Control: no-store on the sensitive endpoints such as /Home/Password to prevent browsers and proxies from caching the passwords.
Also, restrict physical and local access to workstations to reduce the risk of attackers accessing cached passwords.