CVE-2025-15113 - Vulnerability Details

Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Ksenia Security	Lares 4.0 Home Automation
Kseniasecurity	Lares Lares Firmware

Configuration 1 [-]

AND

cpe:2.3:o:kseniasecurity:lares_firmware:1.6:*:*:*:*:*:*:*

cpe:2.3:h:kseniasecurity:lares:4.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://packetstorm.news/files/id/190178/
https://www.kseniasecurity.com/
https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php

History

Wed, 07 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kseniasecurity Kseniasecurity lares Kseniasecurity lares Firmware
Weaknesses		CWE-522
CPEs		cpe:2.3:h:kseniasecurity:lares:4.0:::::::* cpe:2.3:o:kseniasecurity:lares_firmware:1.6:::::::*
Vendors & Products		Kseniasecurity Kseniasecurity lares Kseniasecurity lares Firmware

Mon, 05 Jan 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ksenia Security Ksenia Security lares 4.0 Home Automation
Vendors & Products		Ksenia Security Ksenia Security lares 4.0 Home Automation

Fri, 02 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 30 Dec 2025 23:00:00 +0000

Type	Values Removed	Values Added
Description		Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.
Title		Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload
Weaknesses		CWE-256
References		https://packetstorm.news/files/id/190178/ https://www.kseniasecurity.com/ https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-12-30T22:41:46.694Z

Updated: 2026-01-02T14:38:35.303Z

Reserved: 2025-12-27T01:46:43.993Z

Link: CVE-2025-15113

Vulnrichment

Updated: 2026-01-02T14:23:47.627Z

NVD

Status : Analyzed

Published: 2025-12-30T23:15:49.913

Modified: 2026-01-07T22:05:08.027

Link: CVE-2025-15113

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object