CVE-2025-27582 is a high-severity local privilege escalation vulnerability affecting the Secure Password extension in One Identity Password Manager versions prior to 5.14.4. The vulnerability stems from an insecure implementation of a security hardening mechanism within the kiosk browser component used to display the Password Self-Service site. The application attempts to restrict privileged actions by overriding the native JavaScript window.print() function to prevent unauthorized printing operations. However, this protection can be bypassed by an attacker who has physical or local access to a locked workstation. Specifically, the attacker can access the Password Self-Service site from the lock screen and use the Help function to navigate to a malicious, attacker-controlled webpage. This crafted webpage contains JavaScript code that restores and invokes the original window.print() function, which launches a print dialog with SYSTEM-level privileges. Leveraging standard Windows functionalities available from this privileged print dialog—such as the Print to PDF feature or the Add Printer wizard—the attacker can escalate privileges by spawning a command prompt running with SYSTEM privileges. This effectively grants the attacker full control over the affected device, allowing them to execute arbitrary code with the highest system privileges. The vulnerability is categorized under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), highlighting that untrusted web content can influence privileged application behavior. The CVSS v3.1 base score is 7.6, reflecting high severity due to the potential for full system compromise without requiring user interaction or prior authentication, but requiring local access to the locked machine. No known exploits are reported in the wild yet, and no patches are linked in the provided data, indicating that affected organizations should prioritize mitigation and patching once available. This vulnerability poses a significant risk in environments where workstations are shared or physically accessible to multiple users, especially in enterprise settings using One Identity Password Manager for credential management.

For European organizations, the impact of CVE-2025-27582 can be severe. The vulnerability allows an attacker with local access to a locked workstation to escalate privileges to SYSTEM level, effectively compromising the entire device. This can lead to unauthorized access to sensitive credentials managed by One Identity Password Manager, lateral movement within the network, data exfiltration, and disruption of business operations. Given that password managers are critical security infrastructure components, their compromise undermines organizational security posture and can facilitate further attacks such as ransomware deployment or espionage. In sectors with strict regulatory requirements like finance, healthcare, and government, such a breach could result in significant compliance violations under GDPR and other data protection laws, leading to heavy fines and reputational damage. The ability to exploit this vulnerability from a locked screen also raises concerns about insider threats or unauthorized physical access scenarios common in shared office environments or remote work setups. Therefore, the vulnerability threatens confidentiality, integrity, and availability of critical systems and data within European enterprises.

1. Immediate mitigation should include restricting physical and local access to workstations, especially those running vulnerable versions of One Identity Password Manager. 2. Disable or restrict the Help function in the Password Self-Service kiosk browser to prevent navigation to arbitrary web pages from the lock screen. 3. Implement strict application whitelisting and endpoint detection controls to monitor and block unauthorized execution of system utilities such as the Print to PDF feature or Add Printer wizard from untrusted contexts. 4. Enforce workstation lock policies with multi-factor authentication to reduce risk of unauthorized local access. 5. Monitor and audit usage of the Password Manager and kiosk browser components for anomalous behavior indicative of exploitation attempts. 6. Coordinate with One Identity to obtain and deploy patches or updates addressing this vulnerability as soon as they become available. 7. Educate users and administrators about the risks of leaving locked workstations unattended and the importance of physical security controls. 8. Consider network segmentation and least privilege principles to limit the impact of a compromised workstation on broader enterprise resources.