Long Session Lifetime in Truesec LAPSWebUI
-
Laban Sköllermark - Published: 16 Mar 2026
- Type: Insufficient Session Expiration
- Severity: Medium
Affected Products
Truesec LAPSWebUI before version 2.4
Summary
Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.
CVE
CVE-2025-15552
CWE
CWE-613: Insufficient Session Expiration
CVSS
The vendor Truesec has not calculated any CVSS score. Reversec assessed the vulnerability to have a CVSS score of 6.0 (and therefore severity rating Medium) using the vector CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H.
Description
See the blog post for some background.
The LAPSWebUI setting Force Reauth on Password request was disabled. After authenticating to the application via Entra ID, a session cookie was set. In a client assessment, that cookie was used 13 days later to successfully retrieve a local administrator password.
The default setting in most web browsers is to clear session cookies when closing the browser, but many users choose to configure their browser to “continue where you left off” / “open previous windows and tabs” or similar, which has the consequence that session cookies are never cleared. If a web application does not invalidate sessions server-side either, which seems to be the case for LAPSWebUI, the consequence is that users are logged in indefinitely. The same holds for an attacker that gets hold of a session cookie.
In the case of LAPSWebUI, the logout functionality did not work. It only logged the user out from Entra ID. See advisory Insecure Logout Functionality.
Recommendations to Vendor
The LAPSWebUI vendor Truesec should set a server-side session timeout, possibly configurable, for all LAPSWebUI users. This would hinder the use of stolen session cookies after the timeout. That way customers with the setting Force Reauth on Password request disabled, which is the default, still experience some session security on inactivity.
Truesec claim to have fixed the vulnerability in LAPSWebUI version 2.4 which started shipping 2026-JAN-12. Reversec found the vulnerability during a client assessment and do no longer have access to a LAPSWebUI system to confirm.
Recommendations to LAPSWebUI Users
Install the fixed version 2.4. If not possible, configure LAPSWebUI to require Entra ID sign-in every time a user wants to display a password, by enabling the setting Force Reauth on Password request. This can be done in the server’s appsettings.json file:
{
"AzureAd": {
"ForceReAuth": true,
[...]
Timeline
| Date | Action |
|---|---|
| 23 Dec 2025 | Issue reported to Truesec |
| 5 Jan 2026 | Truesec acknowledge the problem |
| 12 Jan 2026 | Truesec release the fixed version 2.4 and start customer communication |
| 20 Jan 2026 | Reversec's client confirms they received version 2.4, vulnerability information and mitigation advise from Truesec the 12th of January |
| 2 Feb 2026 | CVE-2025-15552 is reserved by NCSC-FI |
| 16 Mar 2026 | Publication of this advisory |