← Advisories

Ksenia Security Lares WebServer Home Automation Remote Code Execution

High
Advisory ID
ZSL-2025-5930
Release Date
31 March 2025
Vendor
Ksenia Security S.p.A. - https://www.kseniasecurity.com
Affected Version
Firmware version 1.6, Webserver version 1.0.0.15
CVE
CVE-2025-15113
Tested On
Ksenia Lares Webserver
Summary

Lares is a burglar alarm & home automation system that can be controlled by means of an ergo LCD keyboard, as well as remotely by telephone, and even via the Internet through a built-in WEB server.

Description

The device provides access to an unprotected endpoint, enabling the upload of MPFS File System binary images. Authenticated attackers can exploit this vulnerability to overwrite the flash program memory containing the web server's main interfaces, potentially leading to arbitrary code execution.

Proof of Concept
ksenia_rce.txtTXT
Disclosure Timeline
03.07.2024Vulnerability discovered.
27.09.2024Vendor contacted.
30.03.2025No response from the vendor.
31.03.2025Public security advisory released.
11.02.2026Vendor clarifies that this is not affecting lares 4.0, only the legacy lares model.
Credits
Vulnerability discovered by Mencha Isajlovska
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2023-5796
[2]https://www.zeroscience.mk/#/advisories/ZSL-2023-5799
[3]https://packetstorm.news/files/id/190178/
[4]https://www.cve.org/CVERecord?id=CVE-2025-15113
Changelog
31.03.2025Initial release
03.04.2025Added reference [3]
11.02.2026Changed the title of the advisory and added Vendor Status.
24.03.2026Added reference [4]