CVE-2025-15111 to CVE-2025-15114: Four Flaws, One Alarm System — How Lares 4.0 Can Be Silently Disarmed and Taken Over

Aegiron 6 mins0

Affected Product

Ksenia Security – Lares 4.0 Home Automation & Alarm System
Affected Version: 1.6

At-a-Glance Risk Summary

CVE IDSeverityImpact
CVE-2025-15114CriticalAlarm PIN disclosure → Alarm bypass
CVE-2025-15113HighFlash overwrite → Potential RCE
CVE-2025-15112MediumOpen redirect → Phishing & session abuse
CVE-2025-15111HighDefault credentials → Full admin takeover

Overall Risk: Severe – Physical security systems can be disabled or fully compromised

CVE-2025-15114 – Alarm PIN Disclosure via XML Response

Severity: Critical

CVSS (Estimated): 9.1

Attack Requirements: Authenticated user

User Interaction: None

What’s the Issue

After authentication, the Lares 4.0 system returns a basisInfo XML response that contains the alarm system PIN in plaintext. No additional privileges are required.

Why This Is Dangerous

  • The PIN is the last line of defense for disabling alarms
  • Any authenticated user (including low-privilege users) can extract it
  • Once obtained, the alarm can be disarmed silently

Attack Scenario

  1. Attacker logs in with any valid account
  2. Requests the basisInfo XML endpoint
  3. Extracts the alarm PIN from the server response
  4. Disables alarm without alerts or additional authentication

Impact

  • Alarm bypass
  • Physical intrusion
  • Complete loss of security integrity

CVE-2025-15113 – Arbitrary MPFS Image Upload Leading to Flash Overwrite

Severity: High

CVSS (Estimated): 8.4

Attack Requirements: Authenticated user

What’s the Issue

An unprotected upload endpoint allows authenticated users to upload MPFS filesystem binary images directly to the device.

There is no validation of:

  • File type
  • File size
  • Memory boundaries
  • Firmware integrity

Why This Is Dangerous

  • Flash memory can be overwritten
  • Malicious payloads can persist across reboots
  • Potential for remote code execution on the web server

Attack Scenario

  • Attacker uploads a crafted MPFS image
  • Image overwrites flash memory
  • Malicious logic executes at runtime or boot

Impact

  • Persistent compromise
  • Firmware-level malware
  • System bricking or stealth backdoors

CVE-2025-15112 – Open Redirect via cmdOk.xml

Severity: Medium

CVSS (Estimated): 6.1

Attack Requirements: Authenticated user interaction

What’s the Issue

The cmdOk.xml script fails to validate the redirectPage GET parameter, allowing attackers to redirect users to arbitrary external websites.

Why This Matters

  • The link originates from a trusted alarm system domain
  • Users are more likely to trust and click
  • Can be chained with credential harvesting or malware delivery

Attack Scenario

  • Attacker crafts a malicious URL
  • Victim clicks link while authenticated
  • Browser redirects to attacker-controlled site

Impact

  • Phishing
  • Session token theft
  • Social engineering attacks

CVE-2025-15111 – Default Administrative Credentials

Severity: High

CVSS (Estimated): 8.8

Attack Requirements: None

What’s the Issue

Lares 4.0 ships with default administrative credentials that are:

  • Weak
  • Well-known
  • Often left unchanged

Why This Is Critical

  • No brute force required
  • No user interaction required
  • Direct admin access

Attack Scenario

  • Attacker accesses the web interface
  • Logs in using default credentials
  • Gains full system control

Impact

  • Alarm disablement
  • Configuration tampering
  • Full device takeover

Chained Attack: Worst-Case Scenario

These vulnerabilities are highly chainable:

  1. Default credentials grant admin access
  2. PIN extracted via XML response
  3. Alarm disabled silently
  4. MPFS firmware overwritten for persistence

Result: Silent physical intrusion with long-term compromise

MITRE ATT&CK Mapping

Initial Access

  • T1078 – Valid Accounts
  • T1190 – Exploit Public-Facing Application

Execution

  • T1059 – Command Execution
  • T1106 – Native API

Persistence

  • T1542 – Firmware Compromise

Defense Evasion

  • T1027 – Obfuscated Files
  • T1562 – Impair Defenses

Impact

  • T1489 – Service Stop
  • T1499 – Denial of Service
  • T1485 – Data Destruction

Detection & Monitoring Guidance

What to Watch For

  • Unexpected firmware uploads
  • Repeated XML configuration requests
  • Redirects to non-Ksenia domains
  • Configuration changes without maintenance windows

Relevant Log Sources

  • Web server access logs
  • Firmware update logs
  • System configuration audit logs
  • Authentication logs

Mitigation & Remediation

Immediate Actions

  • Change all default credentials
  • Restrict web interface access
  • Monitor firmware update activity
  • Isolate devices from the internet

Permanent Fix

Apply vendor-provided updates and firmware patches from the official source:

Official Updates:
https://www.ksenia.eu

Final Assessment

These vulnerabilities collectively represent a serious failure of security design in a product meant to protect people and property. When alarm systems leak PINs, accept arbitrary firmware, and ship with default credentials, the risk is not theoretical — it is immediate and physical.

If you are running Lares 4.0 v1.6, treat this as urgent.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.