Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation systems web server.
Weakness
The product stores a password in plaintext within resources such as memory or files.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Lares_firmware | Kseniasecurity | 1.6 (including) | 1.6 (including) |
Potential Mitigations
References
- https://packetstorm.news/files/id/190178/
- https://www.kseniasecurity.com/
- https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php