Home

Description

Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.

PUBLISHED Reserved 2025-12-27 | Published 2025-12-30 | Updated 2026-02-20 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

Product status

Default status
unknown

1.6
affected

1.0.0.15
affected

Credits

Mencha Isajlovska finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5929.php exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5929.php (Zero Science Lab Disclosure (ZSL-2025-5929)) technical-description exploit

www.vulncheck.com/...e-automation-pin-exposure-vulnerability third-party-advisory

cve.org (CVE-2025-15114)

nvd.nist.gov (CVE-2025-15114)

Download JSON