Ksenia Security Lares 4.0 Home Automation Default Credentials
Title: Ksenia Security Lares 4.0 Home Automation Default Credentials
Advisory ID: ZSL-2025-5927
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (5/5)
Release Date: 31.03.2025
Webserver version 1.0.0.15
[27.09.2024] Vendor contacted.
[30.03.2025] No response from the vendor.
[31.03.2025] Public security advisory released.
[03.04.2025] - Added reference [1]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2025-5927
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (5/5)
Release Date: 31.03.2025
Summary
Lares is a burglar alarm & home automation system that can be controlled by means of an ergo LCD keyboard, as well as remotely by telephone, and even via the Internet through a built-in WEB server.Description
Ksenia Lares uses a weak set of default administrative credentials that can be found and used to gain full control of the system.Vendor
Ksenia Security S.p.A. - https://www.kseniasecurity.comAffected Version
Firmware version 1.6Webserver version 1.0.0.15
Tested On
Ksenia Lares WebserverVendor Status
[03.07.2024] Vulnerability discovered.[27.09.2024] Vendor contacted.
[30.03.2025] No response from the vendor.
[31.03.2025] Public security advisory released.
PoC
ksenia_creds.txtCredits
Vulnerability discovered by Mencha Isajlovska - <shadelock@zeroscience.mk>References
[1] https://packetstorm.news/files/id/190180/Changelog
[31.03.2025] - Initial release[03.04.2025] - Added reference [1]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
