CVE-2025-15114

CRITICAL

Ksenia Security Lares 4.0 Home Automation <1.6 - Info Disclosure

Title source: llm

Description

Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.

References (2)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5929.php

[Third Party Advisory] https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-pin-exposure-vulnerability

Scores

CVSS v3 9.8

EPSS 0.0005

EPSS Percentile 15.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-403 CWE-668

Status published

Products (1)

kseniasecurity/lares_firmware 1.6

Published Dec 30, 2025

Tracked Since Feb 18, 2026