As a home owner, you rely on your security cameras for home protection. Modern CCTV systems have an LCD panel in your house, but you can also connect to the main system from your phone. Ksenia Security Lares has several vulnerabilities on their Lares web server and smartphone app that could give attackers complete control over a homeowner’s system.
When you want to enable or disable your security system, you put in a PIN. This PIN is usually a four-to-six digit number to enable and disable the alarm. The first of four vulnerabilities detailed in CVE-2025-15111 found in the Ksenia Security system sets this PIN automatically to 123456. The default admin username is lares.This might seem insignificant, but attackers scan systems (including routers and IoT) for admin access using default credentials. If you set up the Ksenia system yourself or connected it to the internet without changing the admin password, the default security PIN lets anyone access your system.
The default PIN is one vulnerability, but the following sections explain the other three. If you use Ksenia Security, you should upgrade to the latest version. Any version up to and including 1.6 is vulnerable to common exploits.
Disclosure of the Ksenia PIN in basisInfo.xml
In CVE-2025-15114, an authenticated user can obtain the basisInfo.xml file containing the plaintext security system PIN. Every password should be encrypted (or hashed with a salt when stored in a database), but the Ksenia web server API returns the XML file with the plaintext PIN. You can see a proof of concept using a cURL command to retrieve the file from your Ksenia security system. Here is an example of a cURL command for the PoC:
curl http://192.168.1.5/xml/info/basisInfo.xml
The IP address should be the IP address of your own Ksenia web server. It will likely be similar to the above example. The file you receive will have the following content:
<basisInfo> <askPIN>1</askPIN> <PINToUse>147258</PINToUse> <PINTimeout>30</PINTimeout> <startFromMap>0</startFromMap> </basisInfo>
You might think this isn’t a critical issue, because the user must be authenticated. Let’s say that your phone is stolen or you download the file to your computer. Malware could send this information to an attacker, or someone using your computer has access to the file. Let’s say that you use Ksenia security systems at your office. An attacker could use a sniffer to eavesdrop on the downloaded file and its content. Any type of password or PIN should always be encrypted to protect from eavesdropping.
Open URL Redirect Vulnerability in Ksenia Logic
Probably one of the most interesting vulnerabilities detailed in CVE-2025-15112 is a URL redirection exploit available when making a call to the cmdOk.xml file. The cmdOk.xml file is used when changing a configuration on the Ksenia security system. After the setting is changed, users are redirected to another page based on the URL value in the redirectPage querystring variable. An open URL redirect vulnerability does not validate that the URL is a part of the system, so attackers can send users a link to the Ksenia web server but use their own redirect. These attacks are beneficial for phishing, because users trust the site redirecting them.
Let’s say that an attacker sends the following URL to a Ksenia security user:
http://192.168.1.5/xml/cmd/cmdOk.xml?cmd=setMacro&pin=11111&macroId=2&redirectPage=//my-cool-phishing-domain.com
Notice that the redirectPage querystring variable is set to a phishing domain. It’s noticeable in this example, but attackers will use a domain that looks official. Usually, the domain has one small spelling error (called “typosquatting”) or it’s a homoglyph of the original spelling. A homoglyph attack uses cyrillic letters that look like typical Latin letters. For example, the attack might use paypaI.com in the redirectPage parameter. Note that the last letter is not an “L” but a capital “I” in the domain name.
The phishing domain might prompt the user to authenticate into their Ksenia security system, for example. If a user does not notice the malicious page, the password is sent to attackers. Attackers then use disclosed credentials to authenticate into the victim’s security account.
File Upload Vulnerability in Ksenia Allows for Remote Code Execution
CVE-2025-15113 covers a vulnerability that allows an authenticated user to upload a .bin file used to change binary code on the Ksenia security system. As explained in previous sections, the entire system is open to unauthorized access since the PIN is stored in plaintext in a configuration XML file. Attackers on the network can eavesdrop and obtain this PIN, giving them access to the security system. With these credentials in hand, attackers can then take advantage of an open endpoint that allows uploads of .bin files.A bin file contains binary data, so it can be executed after it’s uploaded. Using a malicious .bin file, an attacker can upload code, execute it on the Ksenia system, and then run their own code. Usually, remote code execution on IoT and security systems make devices a part of a botnet, which are then used in distributed denial-of-service (DDoS) attacks.
Here is an example server POST request to upload a malicious .bin file to the Ksenia web server:
POST /upload HTTP/1.1 Host: 192.168.1.5 ------WebKitFormBoundary5GYWB4nichZAk7BS Content-Disposition: form-data; name="i"; filename="MPFSImage.bin" Content-Type: application/octet-stream ------WebKitFormBoundary5GYWB4nichZAk7BS--
The above request uploads MPFSImage.bin to the Ksenia web server, and the system does not validate the content of the file. Attackers can create a malicious MPFSImage.bin file to overwrite flash memory on the system and execute malware. Users would be unaware of the changes provided that the remote code does not interfere with the functionality of the security system.
A compromised security system lays dormant until the botnet owner sends a command to the web server. The command tells the compromised Ksenia system to send traffic to a target. With thousands of these systems compromised, an attacker can successfully overwhelm a target with requests and exhaust its computing resources. The target crashes, and cannot recover until the requests stop.
Corporations have mitigation options, like CloudFlare, but a large botnet can cripple performance on a target host. As an example, the popular MMO Final Fantasy 14 has been suffering from continual DDoS attacks for all of 2025. As of this writing, they still have not properly mitigated attacks and lost players because of it. Loss of financial revenue is often the purpose of a widespread DDoS attack on corporations.
How to Fix the Ksenia Security Lares Vulnerabilities?
If you have Ksenia Security Lares version 1.6 or earlier, or you run the Ksenia web server version 1.0.0.15 or earlier, you need to update. You can download the latest Ksenia version for your phone from the app stores. You might need help from a Ksenia installer to update the web server.