Headline

Ksenia Security Lares 4.0 Home Automation Default Credentials

Ksenia Lares uses a weak set of default administrative credentials that can be found and used to gain full control of the system.

1 month ago

Zero Science Lab

Open in Source

#vulnerability #web

Title: Ksenia Security Lares 4.0 Home Automation Default Credentials
Advisory ID: ZSL-2025-5927
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (5/5)
Release Date: 31.03.2025

Summary

Lares is a burglar alarm & home automation system that can be controlled by means of an ergo LCD keyboard, as well as remotely by telephone, and even via the Internet through a built-in WEB server.

Description

Ksenia Lares uses a weak set of default administrative credentials that can be found and used to gain full control of the system.

Vendor

Ksenia Security S.p.A. - https://www.kseniasecurity.com

Affected Version

Firmware version 1.6
Webserver version 1.0.0.15

Tested On

Ksenia Lares Webserver

Vendor Status

[03.07.2024] Vulnerability discovered.
[27.09.2024] Vendor contacted.
[30.03.2025] No response from the vendor.
[31.03.2025] Public security advisory released.

PoC

ksenia_creds.txt

Credits

Vulnerability discovered by Mencha Isajlovska - <shadelock@zeroscience.mk>

References

[1] https://packetstorm.news/files/id/190180/

Changelog

[31.03.2025] - Initial release
[03.04.2025] - Added reference [1]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk