CVE-2025-15112

EUVD-2025-205863
Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
VulnCheckCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
kseniasecuritylares_firmware
1.6
𝑥
= Vulnerable software versions
References
https://packetstorm.news/files/id/190179/
https://www.kseniasecurity.com/
https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-url-redirection-vulnerability
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php