CVE-2025-15113

CRITICAL

Ksenia Security Lares 4.0 Home Automation <1.6 - Code Injection

Title source: llm

Description

Ksenia Security lares (legacy model) Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.

References (4)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php

[Product] https://www.kseniasecurity.com/

[Third Party Advisory] https://packetstorm.news/files/id/190178/

[Third Party Advisory] https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload

Scores

CVSS v3 9.3

EPSS 0.0003

EPSS Percentile 7.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-522 CWE-256

Status published

Products (1)

kseniasecurity/lares_firmware 1.6

Published Dec 30, 2025

Tracked Since Feb 18, 2026