CVE-2025-15112 MEDIUM

CVE-2025-15112: Ksenia Security lares Home Automation 1.6 URL Redirection Vulnerability

Vendor Ksenia Security S.p.a.
Product lares
Weakness CWE-601 · Open redirect
Published December 30, 2025
Last update March 11, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain.

Key dates

02Disclosure timeline

December 30, 2025 CVE published
March 11, 2026 Record updated