Description

Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.

Related CPE's

o

kseniasecurity

lares_firmware

1.6

Vulnerable

h

kseniasecurity

lares

4.0

References

https://packetstorm.news/files/id/190178/

Third Party Advisory

https://www.kseniasecurity.com/

Product

https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload

Third Party Advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php

Third Party Advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php

Third Party Advisory

Weaknesses

[email protected]

Secondary
CWE-256

[email protected]

Primary
CWE-522

CVSS impact metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 · High

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2025-12-30T23:15:49.913Z

2 weeks ago

Last modified

2026-01-07T22:05:08.027Z

1 week ago