Ksenia Security Lares 4.0 Home Automation 1.6 PIN Exposure Vulnerability

Advisories

severity: critical
date: December 30, 2025
Affecting: Ksenia Security Lares 4.0 Home Automation 1.6, 1.0.0.15
CVE: CVE-2025-15114
CWE: CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Zero Science Lab Disclosure (ZSL-2025-5929)
Credit: Mencha Isajlovska
Description: Ksenia Security Lares 4.0 Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.