CVE-2025-64427
ZimaOS is vulnerable to Server-Side Request Forgery (SSRF)
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.
| CWE | CWE-918 CWE-200 |
| Vendor | icewhaletech |
| Product | zimaos |
| Published | Mar 2, 2026 |
| Last Updated | Mar 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for icewhaletech zimaos
Be the first to know when new high vulnerabilities affecting icewhaletech zimaos are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low
Affected Versions
IceWhaleTech / ZimaOS
< 1.5.0