Home

Description

Ksenia Security lares (legacy model) Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.

PUBLISHED Reserved 2025-12-27 | Published 2025-12-30 | Updated 2026-02-20 | Assigner VulnCheck




CRITICAL: 9.3CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

HIGH: 8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Plaintext Storage of a Password

Product status

Default status
unaffected

1.6
affected

1.0.0.15
affected

Credits

Mencha Isajlovska of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php (Zero Science Lab Disclosure (ZSL-2025-5930)) third-party-advisory

www.kseniasecurity.com/ (Ksenia Security Vendor Homepage) product

packetstorm.news/files/id/190178/ (Packet Storm Security Exploit) exploit

www.vulncheck.com/...n-remote-code-execution-via-mpfs-upload third-party-advisory

cve.org (CVE-2025-15113)

nvd.nist.gov (CVE-2025-15113)

Download JSON