CVE-2025-15114
EUVD-2025-20586130.12.2025, 23:15
Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| kseniasecurity | lares_firmware | 1.6 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-403 - Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
- CWE-668 - Exposure of Resource to Wrong SphereThe product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.