CVE-2025-15112

low-risk
Published 2025-12-30

Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Lares Firmware

Affected Vendors

Kseniasecurity

References (5)

Third Party Advisory https://packetstorm.news/files/id/190179/
Product https://www.kseniasecurity.com/
Third Party Advisory https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-url-r...
Third Party Advisory https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php
Third Party Advisory https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal