Ksenia Security Lares 4.0 Home Automation Default Credentials

Title: Ksenia Security Lares 4.0 Home Automation Default Credentials
Advisory ID: ZSL-2025-5927
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (5/5)
Release Date: 31.03.2025
Summary
Lares is a burglar alarm & home automation system that can be controlled by means of an ergo LCD keyboard, as well as remotely by telephone, and even via the Internet through a built-in WEB server.
Description
Ksenia Lares uses a weak set of default administrative credentials that can be found and used to gain full control of the system.
Vendor
Ksenia Security S.p.A. - https://www.kseniasecurity.com
Affected Version
Firmware version 1.6
Webserver version 1.0.0.15
Tested On
Ksenia Lares Webserver
Vendor Status
[03.07.2024] Vulnerability discovered.
[27.09.2024] Vendor contacted.
[30.03.2025] No response from the vendor.
[31.03.2025] Public security advisory released.
PoC
ksenia_creds.txt
Credits
Vulnerability discovered by Mencha Isajlovska - <shadelock@zeroscience.mk>
References
N/A
Changelog
[31.03.2025] - Initial release
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk