CVE-2025-15113 affects the legacy lares home automation system by Ksenia Security S.p.A., specifically versions 1.6 and 1.0.0.15. The core issue is an unprotected endpoint that permits unauthenticated attackers to upload MPFS (Microchip File System) binary images directly to the device. This capability allows attackers to overwrite the device's flash program memory, which contains the firmware and critical system code. By replacing or modifying this memory, attackers can execute arbitrary code on the embedded web server that controls the home automation system. The vulnerability is associated with CWE-256, indicating that plaintext password storage may be involved, possibly facilitating unauthorized access or exploitation. The CVSS v3.1 base score of 9.3 reflects the vulnerability's critical nature, with an attack vector requiring local network access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, impacting confidentiality, integrity, and availability at a high level. Although no public exploits are currently known, the potential for remote code execution on a home automation system makes this a severe threat. The lack of available patches at the time of publication increases the urgency for mitigation.

The vulnerability allows attackers to gain full control over affected lares home automation devices by executing arbitrary code on the embedded web server. This can lead to complete compromise of the device, including unauthorized access to the home network, manipulation of connected security systems, and potential pivoting to other internal systems. Confidentiality is at risk as attackers could access sensitive data or credentials stored on the device. Integrity is compromised since attackers can alter device firmware and behavior, potentially disabling security features or causing malfunctions. Availability is also threatened because malicious firmware could render the device inoperable or cause denial of service. Organizations relying on these devices for physical security or automation may face operational disruptions, privacy violations, and increased risk of further network intrusions. The critical severity and ease of exploitation without authentication make this a significant threat to residential and commercial users of the lares system.

1. Immediately isolate affected lares devices from untrusted networks, especially the internet and guest Wi-Fi segments, to reduce exposure. 2. Monitor network traffic for unusual upload attempts or unauthorized access to the MPFS upload endpoint. 3. Implement network segmentation to restrict access to home automation devices only to trusted users and systems. 4. If possible, disable or restrict the vulnerable upload endpoint through device configuration or firewall rules until a vendor patch is available. 5. Contact Ksenia Security S.p.A. for official patches or firmware updates addressing this vulnerability and apply them promptly once released. 6. Employ strong network access controls and authentication mechanisms to prevent unauthorized access to the device management interfaces. 7. Regularly audit device configurations and logs for signs of compromise or anomalous activity. 8. Consider replacing legacy lares devices with newer models that have improved security features and are actively supported. 9. Educate users about the risks of exposing home automation devices to untrusted networks and the importance of timely updates.