{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-15113","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-12-27T01:46:43.993Z","datePublished":"2025-12-30T22:41:46.694Z","dateUpdated":"2026-03-11T19:30:48.494Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-03-11T19:30:48.494Z"},"title":"Ksenia Security lares Home Automation 1.6 Remote Code Execution via MPFS Upload","datePublic":"2025-03-31T00:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-256","description":"CWE-256 Plaintext storage of a password","type":"CWE"}]}],"affected":[{"vendor":"Ksenia Security S.p.A.","product":"lares","versions":[{"status":"affected","version":"1.6"},{"status":"affected","version":"1.0.0.15"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Ksenia Security lares (legacy model) Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p><span>Ksenia Security lares (legacy model)</span> Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.</p>"}]}],"tags":["unsupported-when-assigned"],"references":[{"url":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php","name":"Zero Science Lab Disclosure (ZSL-2025-5930)","tags":["third-party-advisory"]},{"url":"https://www.kseniasecurity.com/","name":"Ksenia Security Vendor Homepage","tags":["product"]},{"url":"https://packetstorm.news/files/id/190178/","name":"Packet Storm Security Exploit","tags":["exploit"]},{"url":"https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload","tags":["third-party-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"CRITICAL","baseScore":9.3,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}},{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":8.4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}],"credits":[{"lang":"en","value":"Mencha Isajlovska of Zero Science Lab","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"vulncheck"}},"adp":[{"references":[{"url":"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-02T14:23:42.640039Z","id":"CVE-2025-15113","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-02T14:38:35.303Z"}}]}}