Admin Passwords Cached by Browsers in Truesec LAPSWebUI

Summary

Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.

CVE

CVE-2025-15554

CWE

CWE-525: Use of Web Browser Cache Containing Sensitive Information

CVSS

The vendor Truesec has not calculated any CVSS score. Reversec assessed the vulnerability to have a score of 6.0 according to CVSS (and therefore severity rating Medium) using the vector CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H. We believe that the risk is lower and have therefore categorised this vulnerability as Low instead.

Description

See the blog post for some background.

The configuration of the LAPSWebUI application permitted browsers and web proxies to cache the pages accessed by a user. This may result in disclosure of sensitive information, especially in shared browsing environments.

Caching web server responses is a common method to improve loading times and reduce server load. However, if sensitive information is included in these cached responses, it could be accessed by an attacker. To address this concern, HTTP responses can include the Cache-Control HTTP header to instruct browsers and web proxies whether they can be cached.

The following headers were provided by the web server in response to GET /Home/Password?computer=[REDACTED]&reason=:

Content-Type: text/html; charset=utf-8
x-ms-proxy-app-id: [REDACTED]
x-ms-proxy-group-id: [REDACTED]
x-ms-proxy-subscription-id: [REDACTED]
x-ms-proxy-transaction-id: [REDACTED]
x-ms-proxy-service-name: [REDACTED]
x-ms-proxy-data-center: NEUR
x-ms-proxy-connector-id: [REDACTED]
strict-transport-security: max-age=2592000
Nel: {"report_to":"network-errors","max_age":86400,"success_fraction":0.2,"failure_fraction":1.0}
Report-To: {"group":"network-errors","max_age":86400,"endpoints":[{"url":"https://ffde.nelreports.net/api/report?cat=[REDACTED]"}]}
Date: Tue, 02 Dec 2025 16:09:22 GMT
Content-Length: 7515

As the Cache-Control header was not included, the responses could be cached by users’ browsers. In a shared browser environment, attackers could recover the sensitive information from the browser’s cache, even if HTTPS was used for communication. Furthermore, the lack of this header could result in responses being cached by an intermediate proxy. This could result in sensitive information mistakenly being shared between users of the application. No proxy server was configured in the assessed environment, however.

An example where a local admin password was cached by Mozilla Firefox on a Linux client:

user@pentest-[REDACTED]:~/.cache/mozilla/firefox/2gwyog80.default-esr/cache2$ grep --recursive --text --fixed-strings --regexp "data-pass" --regexp "modal-title mb-3" .
./entries/[REDACTED_URL_SHA1_HASH]:                <h3 class="modal-title mb-3"><i class="fa-solid fa-computer"></i> REDACTED_HOSTNAME</h3>
./entries/[REDACTED_URL_SHA1_HASH]:                <code id="code" data-pass="&#x2B;vg7&#x2B;M4cn4U=*sD?FV%*4">

We realise that the severity Medium calculated using CVSS might over-hype the vulnerability. If an attacker has physical control over an unlocked workstation, there are other and worse consequences that are probably easier to execute. We would therefore like to categorise this vulnerability as Low.

Recommendations to Vendor

The LAPSWebUI vendor Truesec should make sure that at least the GET /Home/Password endpoint is not cached by browsers or proxies.

Truesec claim to have fixed the vulnerability in LAPSWebUI version 2.4 which started shipping 2026-JAN-12. Reversec found the vulnerability during a client assessment and do no longer have access to a LAPSWebUI system to confirm.

Recommendations to LAPSWebUI Users

Install the fixed version 2.4. If not possible, make sure the web server hosting LAPSWebUI sets the following HTTP response header:

Cache-Control: no-store