CVE-2025-15114 | Ksenia Security lares (legacy model) Home Automation version… | CVSS 9.8 CRITICAL

Description

Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.

Metadata

CVE ID: CVE-2025-15114
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2025-12-27 01:46 UTC
Published: 2025-12-30 22:41 UTC
Last updated: 2026-03-11 19:29 UTC
Primary CWE: CWE-403
CWE-403 Exposure of file descriptor to unintended control sp…
Vendor / Product: Ksenia Security S.p.A. / lares
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Ksenia Security S.p.A.	lares	—	1.6, 1.0.0.15

Weakness (CWE)

CWE	Source	Description
CWE-403	cna	CWE-403 Exposure of file descriptor to unintended control sphere ('file descriptor leak')

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

Zero Science Lab Disclosure (ZSL-2025-5929) https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5929.php
https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-pin-exposure-vulnerability