CVE-2025-27582

Name of the Vulnerable Software and Affected Versions: One Identity Password Manager versions prior to 5.14.4

Description: The Secure Password extension in One Identity Password Manager contains a flaw in its security hardening mechanism within the kiosk browser used for the Password Self-Service site. An attacker accessing the Password Self-Service site from the lock screen can bypass restrictions on privileged actions by navigating to an attacker-controlled webpage via the Help function. By hosting a crafted webpage with JavaScript, the attacker can restore and invoke the window.print() function, launching a SYSTEM-privileged print dialog. From this dialog, the attacker can exploit standard Windows functionality – such as the Print to PDF or Add Printer wizard – to spawn a command prompt with SYSTEM privileges. Successful exploitation allows a local attacker with access to a locked workstation to gain SYSTEM-level privileges, granting full control over the affected device.

Recommendations: Update One Identity Password Manager to version 5.14.4 or later.