{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-27582", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-07-14T20:11:00.348Z", "dateReserved": "2025-03-03T00:00:00.000Z", "datePublished": "2025-07-14T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Password Manager", "vendor": "One Identity", "versions": [{"lessThan": "5.14.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the application attempts to restrict privileged actions by overriding the native window.print() function. However, this protection can be bypassed by an attacker who accesses the Password Self-Service site from the lock screen and navigates to an attacker-controlled webpage via the Help function. By hosting a crafted web page with JavaScript, the attacker can restore and invoke the window.print() function, launching a SYSTEM-privileged print dialog. From this dialog, the attacker can exploit standard Windows functionality - such as the Print to PDF or Add Printer wizard - to spawn a command prompt with SYSTEM privileges. Successful exploitation allows a local attacker (with access to a locked workstation) to gain SYSTEM-level privileges, granting full control over the affected device."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-07-14T12:19:43.575Z"}, "references": [{"url": "https://www.cyberis.com/article/password-manager-privilege-escalation"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}]}, "adp": [{"references": [{"url": "https://www.cyberis.com/article/password-manager-privilege-escalation", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-14T14:43:16.470854Z", "id": "CVE-2025-27582", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-14T20:11:00.348Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27582", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-14T14:43:16.470854Z"}}}], "references": [{"url": "https://www.cyberis.com/article/password-manager-privilege-escalation", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-14T14:43:35.330Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "One Identity", "product": "Password Manager", "versions": [{"status": "affected", "version": "0", "lessThan": "5.14.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cyberis.com/article/password-manager-privilege-escalation"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the application attempts to restrict privileged actions by overriding the native window.print() function. However, this protection can be bypassed by an attacker who accesses the Password Self-Service site from the lock screen and navigates to an attacker-controlled webpage via the Help function. By hosting a crafted web page with JavaScript, the attacker can restore and invoke the window.print() function, launching a SYSTEM-privileged print dialog. From this dialog, the attacker can exploit standard Windows functionality - such as the Print to PDF or Add Printer wizard - to spawn a command prompt with SYSTEM privileges. Successful exploitation allows a local attacker (with access to a locked workstation) to gain SYSTEM-level privileges, granting full control over the affected device."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-07-14T12:19:43.575Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27582", "state": "PUBLISHED", "dateUpdated": "2025-07-14T20:11:00.348Z", "dateReserved": "2025-03-03T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-07-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the application attempts to restrict privileged actions by overriding the native window.print() function. However, this protection can be bypassed by an attacker who accesses the Password Self-Service site from the lock screen and navigates to an attacker-controlled webpage via the Help function. By hosting a crafted web page with JavaScript, the attacker can restore and invoke the window.print() function, launching a SYSTEM-privileged print dialog. From this dialog, the attacker can exploit standard Windows functionality - such as the Print to PDF or Add Printer wizard - to spawn a command prompt with SYSTEM privileges. Successful exploitation allows a local attacker (with access to a locked workstation) to gain SYSTEM-level privileges, granting full control over the affected device."}, {"lang": "es", "value": "La extensi\u00f3n Secure Password de One Identity Password Manager, en versiones anteriores a la versi\u00f3n 5.14.4, permite la escalada de privilegios locales. El problema surge de un mecanismo de refuerzo de seguridad defectuoso en el navegador del kiosco utilizado para mostrar el sitio de autoservicio de contrase\u00f1as a los usuarios finales. En concreto, la aplicaci\u00f3n intenta restringir las acciones privilegiadas anulando la funci\u00f3n nativa window.print(). Sin embargo, un atacante puede eludir esta protecci\u00f3n accediendo al sitio de autoservicio de contrase\u00f1as desde la pantalla de bloqueo y navegando a una p\u00e1gina web controlada por el atacante mediante la funci\u00f3n Ayuda. Al alojar una p\u00e1gina web manipulada con JavaScript, el atacante puede restaurar e invocar la funci\u00f3n window.print(), lo que abre un cuadro de di\u00e1logo de impresi\u00f3n con privilegios de SYSTEM. Desde este cuadro de di\u00e1logo, el atacante puede explotar funciones est\u00e1ndar de Windows, como el asistente para imprimir a PDF o para agregar impresoras, para generar un s\u00edmbolo del sistema con privilegios de SYSTEM. Una explotaci\u00f3n exitosa permite a un atacante local (con acceso a una estaci\u00f3n de trabajo bloqueada) obtener privilegios de SYSTEM, lo que le otorga control total sobre el dispositivo afectado."}], "id": "CVE-2025-27582", "lastModified": "2025-07-15T13:14:24.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-07-14T13:15:24.233", "references": [{"source": "[email protected]", "url": "https://www.cyberis.com/article/password-manager-privilege-escalation"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.cyberis.com/article/password-manager-privilege-escalation"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "[email protected]", "type": "Secondary"}]}

{}