CVE-2025-15111 identifies a critical security vulnerability in Ksenia Security S.p.A.'s Lares 4.0 Home Automation system, specifically versions 1.6 and 1.0.0.15. The vulnerability arises from the presence of hard-coded default administrative credentials embedded within the system, which are not changed or randomized upon installation. This flaw allows an unauthenticated attacker to remotely access the system with administrative privileges, bypassing all authentication mechanisms. The vulnerability is network exploitable (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has a high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The attacker can fully control the home automation system, potentially manipulating security settings, disabling alarms, controlling connected devices, and accessing sensitive user data. Although no known exploits have been reported in the wild, the ease of exploitation and critical impact make this a severe threat. The lack of available patches at the time of publication increases the urgency for organizations to apply compensating controls. The vulnerability affects a product widely used in residential and commercial environments, where home automation systems are integrated with security and safety functions. The technical details confirm the vulnerability was reserved and published in late December 2025, with a CVSS 4.0 score of 9.3, indicating critical severity. The absence of patches necessitates immediate mitigation steps to prevent exploitation.

For European organizations, this vulnerability poses a significant risk to the security and privacy of home automation systems. Unauthorized administrative access can lead to manipulation or disabling of security alarms, unauthorized surveillance, and control over connected devices, potentially endangering physical safety and privacy. The compromise of these systems can also serve as a pivot point for lateral movement into broader network environments, especially in smart buildings or integrated commercial facilities. The impact extends beyond individual homes to commercial properties and critical infrastructure that rely on Ksenia Security Lares 4.0 for automation and security. The confidentiality of user data and operational integrity of security systems are at high risk, potentially resulting in financial loss, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The critical nature of the vulnerability and the lack of authentication requirements make exploitation straightforward, increasing the likelihood of attacks targeting European users of this product.

1. Immediately change all default and hard-coded credentials on affected Ksenia Security Lares 4.0 devices to strong, unique passwords. 2. Implement network segmentation to isolate home automation systems from critical business networks and limit remote access. 3. Disable remote administrative access where possible or restrict it to trusted IP addresses using firewall rules. 4. Monitor network traffic and system logs for unusual access patterns or repeated login attempts indicative of exploitation attempts. 5. Engage with Ksenia Security for updates or patches and apply them promptly once available. 6. Educate users and administrators about the risks of default credentials and enforce policies for credential management. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts targeting this vulnerability. 8. For organizations using these systems in commercial or critical infrastructure settings, conduct a security audit to assess exposure and implement compensating controls such as multi-factor authentication if supported.