Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
ZimaOS: Internal Network Access via Authenticated Local User Request
CVE-2025-64427
Summary
A known issue in ZimaOS versions 1.5.0 and earlier allows an authenticated local user to access internal network services they shouldn't be able to reach. This could potentially allow an attacker to access sensitive internal resources. Until a fix is available, consider taking alternative security measures to restrict local user access.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| zimaspace | zimaos | <= 1.5.0 | – |
Original title
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authentic...
Original description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.
nvd CVSS3.1
6.5
Vulnerability type
CWE-200
Information Exposure
CWE-918
Server-Side Request Forgery (SSRF)
- https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-m8hj-7xg5-p375 Exploit Mitigation Vendor Advisory
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026