Home

Description

Ksenia Security Lares 4.0 Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.

PUBLISHED Reserved 2025-12-27 | Published 2025-12-30 | Updated 2025-12-30 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

Product status

1.6
affected

1.0.0.15
affected

Credits

Mencha Isajlovska finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5929.php (Zero Science Lab Disclosure (ZSL-2025-5929)) third-party-advisory

www.vulncheck.com/...e-automation-pin-exposure-vulnerability (VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 PIN Exposure Vulnerability) third-party-advisory

cve.org (CVE-2025-15114)

nvd.nist.gov (CVE-2025-15114)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.