CVE-2025-15112

MEDIUM

Kseniasecurity Lares Firmware - Open Redirect

Title source: rule

Description

Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain.

References (4)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php

[Third Party Advisory] https://packetstorm.news/files/id/190179/

[Product] https://www.kseniasecurity.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-url-redirection-vulnerability

Scores

CVSS v3 5.4

EPSS 0.0002

EPSS Percentile 4.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (1)

kseniasecurity/lares_firmware 1.6

Published Dec 30, 2025

Tracked Since Feb 18, 2026