Title: Ksenia Security Lares 4.0 Home Automation PIN Logic Flaw
Advisory ID: ZSL-2025-5929
Type: Local/Remote
Impact: Logic Flaw, Information Disclosure, DoS, Security Bypass
Risk: (4/5)
Release Date: 31.03.2025

Summary

Lares is a burglar alarm & home automation system that can be controlled by means of an ergo LCD keyboard, as well as remotely by telephone, and even via the Internet through a built-in WEB server.

Description

The Ksenia home automation and burglar alarm system has a security flaw where the PIN required to disable the alarm is exposed in the 'basisInfo' XML file after initial authentication, allowing attackers who gain access to this file to bypass security measures. This design flaw enables unauthorized individuals to both disable the alarm system and manipulate smart home devices by simply retrieving the PIN from the server response, effectively rendering the security system useless since the supposedly secret PIN is easily obtainable once an attacker reaches the authenticated state. The system should never expose sensitive codes in API responses and should implement proper multi-factor authentication for critical functions like alarm deactivation.

Vendor

Ksenia Security S.p.A. - https://www.kseniasecurity.com

Affected Version

Firmware version 1.6
Webserver version 1.0.0.15

Tested On

Ksenia Lares Webserver

Vendor Status

[03.07.2024] Vulnerability discovered.
[27.09.2024] Vendor contacted.
[30.03.2025] No response from the vendor.
[31.03.2025] Public security advisory released.

PoC

ksenia_pin.txt

Credits

Vulnerability discovered by Mencha Isajlovska - <shadelock@zeroscience.mk>

References

N/A

Changelog

[31.03.2025] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk