CVE-2025-15112
Ksenia Security lares Home Automation 1.6 URL Redirection Vulnerability
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain.
| CWE | CWE-601 |
| Vendor | ksenia security s.p.a. |
| Product | lares |
| Published | Dec 30, 2025 |
| Last Updated | Mar 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for ksenia security s.p.a. lares
Be the first to know when new medium vulnerabilities affecting ksenia security s.p.a. lares are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
Ksenia Security S.p.A. / lares
1.6 1.0.0.15
References
zeroscience.mk: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php packetstorm.news: https://packetstorm.news/files/id/190179/ kseniasecurity.com: https://www.kseniasecurity.com/ vulncheck.com: https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-url-redirection-vulnerability
Credits
Mencha Isajlovska of Zero Science Lab