Ksenia Security Lares 4.0 Home Automation PIN Logic Flaw

Title: Ksenia Security Lares 4.0 Home Automation PIN Logic Flaw
Advisory ID: ZSL-2025-5929
Type: Local/Remote
Impact: Logic Flaw, Information Disclosure, DoS, Security Bypass
Risk: (4/5)
Release Date: 31.03.2025
Summary
Lares is a burglar alarm & home automation system that can be controlled by means of an ergo LCD keyboard, as well as remotely by telephone, and even via the Internet through a built-in WEB server.
Description
The Ksenia home automation and burglar alarm system has a security flaw where the PIN required to disable the alarm is exposed in the 'basisInfo' XML file after initial authentication, allowing attackers who gain access to this file to bypass security measures. This design flaw enables unauthorized individuals to both disable the alarm system and manipulate smart home devices by simply retrieving the PIN from the server response, effectively rendering the security system useless since the supposedly secret PIN is easily obtainable once an attacker reaches the authenticated state. The system should never expose sensitive codes in API responses and should implement proper multi-factor authentication for critical functions like alarm deactivation.
Vendor
Ksenia Security S.p.A. - https://www.kseniasecurity.com
Affected Version
Firmware version 1.6
Webserver version 1.0.0.15
Tested On
Ksenia Lares Webserver
Vendor Status
[03.07.2024] Vulnerability discovered.
[27.09.2024] Vendor contacted.
[30.03.2025] No response from the vendor.
[31.03.2025] Public security advisory released.
PoC
ksenia_pin.txt
Credits
Vulnerability discovered by Mencha Isajlovska - <shadelock@zeroscience.mk>
References
N/A
Changelog
[31.03.2025] - Initial release
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk