CVE-2025-15114

Summary

Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.

Affected Software

VendorProductVersion RangeStatus
Ksenia Security S.p.A.lares1.6affected
Ksenia Security S.p.A.lares1.0.0.15affected

Weaknesses

  • CWE-403: CWE-403 Exposure of file descriptor to unintended control sphere ('file descriptor leak')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

Additional References

References