{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15113", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-12-27T01:46:43.993Z", "datePublished": "2025-12-30T22:41:46.694Z", "dateUpdated": "2026-01-21T14:38:48.930Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Ksenia Security Lares 4.0 Home Automation", "vendor": "Ksenia Security S.p.A.", "versions": [{"status": "affected", "version": "1.6"}, {"status": "affected", "version": "1.0.0.15"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mencha Isajlovska of Zero Science Lab"}], "datePublic": "2025-03-31T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.</p>"}], "value": "Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "description": "Plaintext Storage of a Password", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-01-21T14:38:48.930Z"}, "references": [{"name": "Zero Science Lab Disclosure (ZSL-2025-5930)", "tags": ["third-party-advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php"}, {"name": "Ksenia Security Vendor Homepage", "tags": ["product"], "url": "https://www.kseniasecurity.com/"}, {"name": "Packet Storm Security Exploit", "tags": ["exploit"], "url": "https://packetstorm.news/files/id/190178/"}, {"name": "VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload"}], "source": {"discovery": "UNKNOWN"}, "title": "Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload", "x_generator": {"engine": "vulncheck"}}, "adp": [{"references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-02T14:23:42.640039Z", "id": "CVE-2025-15113", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T14:38:35.303Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15113", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-02T14:23:42.640039Z"}}}], "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T14:23:47.627Z"}}], "cna": {"title": "Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Mencha Isajlovska of Zero Science Lab"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ksenia Security S.p.A.", "product": "Ksenia Security Lares 4.0 Home Automation", "versions": [{"status": "affected", "version": "1.6"}, {"status": "affected", "version": "1.0.0.15"}], "defaultStatus": "unaffected"}], "datePublic": "2025-03-31T00:00:00.000Z", "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php", "name": "Zero Science Lab Disclosure (ZSL-2025-5930)", "tags": ["third-party-advisory"]}, {"url": "https://www.kseniasecurity.com/", "name": "Ksenia Security Vendor Homepage", "tags": ["product"]}, {"url": "https://packetstorm.news/files/id/190178/", "name": "Packet Storm Security Exploit", "tags": ["exploit"]}, {"url": "https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload", "name": "VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.", "supportingMedia": [{"type": "text/html", "value": "<p>Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-256", "description": "Plaintext Storage of a Password"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-01-21T14:38:48.930Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15113", "state": "PUBLISHED", "dateUpdated": "2026-01-21T14:38:48.930Z", "dateReserved": "2025-12-27T01:46:43.993Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-12-30T22:41:46.694Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:kseniasecurity:lares_firmware:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "DF94F084-2F13-427A-9CB5-9E3E95621C8B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:kseniasecurity:lares:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DDE71F37-880F-4534-80FF-A2BE3D8E2AD4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server."}], "id": "CVE-2025-15113", "lastModified": "2026-01-21T15:16:05.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "disclosure@vulncheck.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2025-12-30T23:15:49.913", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://packetstorm.news/files/id/190178/"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.kseniasecurity.com/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-256"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2026-01-05T10:19:43.237472+00:00", "updated": "2026-01-05T10:19:43.237514+00:00", "vendors": ["ksenia_security", "ksenia_security$PRODUCT$lares_4.0_home_automation"]}