← Advisories

Ksenia Security Lares WebServer Home Automation URL Redirection

Medium

Advisory ID

ZSL-2025-5928

Release Date

31 March 2025

Vendor

Ksenia Security S.p.A. - https://www.kseniasecurity.com

Affected Version

Firmware version 1.6, Webserver version 1.0.0.15

CVE

CVE-2025-15112

Tested On

Ksenia Lares Webserver

Summary

Lares is a burglar alarm & home automation system that can be controlled by means of an ergo LCD keyboard, as well as remotely by telephone, and even via the Internet through a built-in WEB server.

Description

Input passed via the 'redirectPage' GET parameter in 'cmdOk.xml' script is not properly verified before being used to redirect users. This can be exploited to redirect an authenticating user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

Proof of Concept

ksenia_redir.txtTXT

Disclosure Timeline

03.07.2024Vulnerability discovered.

27.09.2024Vendor contacted.

30.03.2025No response from the vendor.

31.03.2025Public security advisory released.

11.02.2026Vendor clarifies that this is not affecting lares 4.0, only the legacy lares model.

Credits

Vulnerability discovered by Mencha Isajlovska

References

[1]https://packetstorm.news/files/id/190179/

[2]https://www.cve.org/CVERecord?id=CVE-2025-15112

Changelog

31.03.2025Initial release

03.04.2025Added reference [1]

11.02.2026Changed the title of the advisory and added Vendor Status.

24.03.2026Added reference [2]