fkie_cve-2025-27582
Vulnerability from fkie_nvd
Published
2025-07-14 13:15
Modified
2025-07-15 13:14
Severity ?
7.6 (High) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the application attempts to restrict privileged actions by overriding the native window.print() function. However, this protection can be bypassed by an attacker who accesses the Password Self-Service site from the lock screen and navigates to an attacker-controlled webpage via the Help function. By hosting a crafted web page with JavaScript, the attacker can restore and invoke the window.print() function, launching a SYSTEM-privileged print dialog. From this dialog, the attacker can exploit standard Windows functionality - such as the Print to PDF or Add Printer wizard - to spawn a command prompt with SYSTEM privileges. Successful exploitation allows a local attacker (with access to a locked workstation) to gain SYSTEM-level privileges, granting full control over the affected device.
References
cve@mitre.orghttps://www.cyberis.com/article/password-manager-privilege-escalation
134c704f-9b21-4f2e-91b3-4a467353bcc0https://www.cyberis.com/article/password-manager-privilege-escalation
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the application attempts to restrict privileged actions by overriding the native window.print() function. However, this protection can be bypassed by an attacker who accesses the Password Self-Service site from the lock screen and navigates to an attacker-controlled webpage via the Help function. By hosting a crafted web page with JavaScript, the attacker can restore and invoke the window.print() function, launching a SYSTEM-privileged print dialog. From this dialog, the attacker can exploit standard Windows functionality - such as the Print to PDF or Add Printer wizard - to spawn a command prompt with SYSTEM privileges. Successful exploitation allows a local attacker (with access to a locked workstation) to gain SYSTEM-level privileges, granting full control over the affected device."
    },
    {
      "lang": "es",
      "value": "La extensi\u00f3n Secure Password de One Identity Password Manager, en versiones anteriores a la versi\u00f3n 5.14.4, permite la escalada de privilegios locales. El problema surge de un mecanismo de refuerzo de seguridad defectuoso en el navegador del kiosco utilizado para mostrar el sitio de autoservicio de contrase\u00f1as a los usuarios finales. En concreto, la aplicaci\u00f3n intenta restringir las acciones privilegiadas anulando la funci\u00f3n nativa window.print(). Sin embargo, un atacante puede eludir esta protecci\u00f3n accediendo al sitio de autoservicio de contrase\u00f1as desde la pantalla de bloqueo y navegando a una p\u00e1gina web controlada por el atacante mediante la funci\u00f3n Ayuda. Al alojar una p\u00e1gina web manipulada con JavaScript, el atacante puede restaurar e invocar la funci\u00f3n window.print(), lo que abre un cuadro de di\u00e1logo de impresi\u00f3n con privilegios de SYSTEM. Desde este cuadro de di\u00e1logo, el atacante puede explotar funciones est\u00e1ndar de Windows, como el asistente para imprimir a PDF o para agregar impresoras, para generar un s\u00edmbolo del sistema con privilegios de SYSTEM. Una explotaci\u00f3n exitosa permite a un atacante local (con acceso a una estaci\u00f3n de trabajo bloqueada) obtener privilegios de SYSTEM, lo que le otorga control total sobre el dispositivo afectado."
    }
  ],
  "id": "CVE-2025-27582",
  "lastModified": "2025-07-15T13:14:24.053",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 6.0,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-14T13:15:24.233",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://www.cyberis.com/article/password-manager-privilege-escalation"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://www.cyberis.com/article/password-manager-privilege-escalation"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-829"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.