Description
Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.
Published: 2026-03-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation via local admin password disclosure
Action: Apply Patch
AI Analysis

Impact

Insufficient session expiration in Truesec LAPSWebUI before version 2.4 allows a user with access to a workstation to maintain a long‑lived session and view the local administrator password. This flaw falls under the CWE‑613 category and can lead to privilege escalation, granting an attacker the ability to perform actions with local admin rights.

Affected Systems

Organisations using Truesec LAPSWebUI on versions earlier than 2.4 are impacted. The vulnerability affects the LAPSWebUI component across all deployments that have not applied the recent update.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity, and the EPSS score of less than 1 % suggests low exploitation probability under current conditions. The vulnerability is not listed in CISA’s KEV catalog, reflecting limited known exploitation. Since the flaw requires local access to a workstation and relies on session lifetime settings, it can be mitigated by enforcing re‑authentication or by applying the vendor‑issued update that removes the long‑lived session behaviour.

Generated by OpenCVE AI on March 22, 2026 at 14:47 UTC.

Remediation

Vendor Workaround

Configure LAPSWebUI to require Entra ID sign-in every time a user wants to display a password, by enabling the setting Force Reauth on Password request.

OpenCVE Recommended Actions

  • Upgrade Truesec LAPSWebUI to version 2.4 or later.
  • Enable “Force Reauth on Password request” to require Entra ID sign‑in for each password display.
  • Configure a shorter session expiration period if possible.
  • Monitor workstation logs for abnormal access patterns and enforce stricter physical workstation security.

Generated by OpenCVE AI on March 22, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:truesec:lapswebui:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Truesec
Truesec lapswebui
Vendors & Products Truesec
Truesec lapswebui

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.
Title Long Session Lifetime in Truesec LAPSWebUI
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Truesec Lapswebui
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC-FI

Published:

Updated: 2026-03-16T18:14:07.403Z

Reserved: 2026-02-02T05:56:40.009Z

Link: CVE-2025-15552

cve-icon Vulnrichment

Updated: 2026-03-16T18:14:01.380Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:56.130

Modified: 2026-04-20T13:29:24.317

Link: CVE-2025-15552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:51Z

Weaknesses