CVE-2025-15113

CRITICAL

Ksenia Security Lares 4.0 Home Automation <1.6 - Code Injection

Title source: llm

Description

Ksenia Security lares (legacy model) Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.

References (4)

[Third Party Advisory] https://packetstorm.news/files/id/190178/

[Product] https://www.kseniasecurity.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php

Scores

CVSS v3 9.3

EPSS 0.0007

EPSS Percentile 21.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-522 CWE-256

Status published

Affected Products (1)

kseniasecurity/lares_firmware

Timeline

Published Dec 30, 2025

Tracked Since Feb 18, 2026