CVE-2025-15114
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ksenia Security S.p.A. | lares | 1.6 | affected |
| Ksenia Security S.p.A. | lares | 1.0.0.15 | affected |
Weaknesses
- CWE-403: CWE-403 Exposure of file descriptor to unintended control sphere ('file descriptor leak')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5929.php
- https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-pin-exposure-vulnerability
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.